CB Response: Linux sensors exceeding size limits in /var/lib/cb/eventlogs
search cancel

CB Response: Linux sensors exceeding size limits in /var/lib/cb/eventlogs

book

Article ID: 290456

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

  • Drive space on the endpoint is filling up rapidly
  • /var/lib/cb/eventlogs is taking up more disk space than configured in the QuotaEventlog fields in /var/lib/cb/sensorsettings.ini
  • Sensor logs may show the following warning multiple times
    • Eventlog quota exceeded: ####### bytes (limit:###### bytes)

Environment

  • CB Response Sensor 5.2.13, 6.1.3 - 6.1.6
  • Linux: All Supported Versions

Cause

This is a known issue, CB-18976, fixed in the 6.1.7 and 5.2.17 sensor releases.

Resolution

  • For 5.x sensors, upgrade to 5.2.17 or Higher
  • For 6.x sensors, upgrade to 6.1.7 or Higher