CB Response: Server Dashboard shows wide fluctuations in sensors going offline for large installations (50K or more)

search cancel

CB Response: Server Dashboard shows wide fluctuations in sensors going offline for large installations (50K or more)

book

Article ID: 290884

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

"Online Sensor Count" in the Server Dashboard shows wild fluctuations and values too low to what actual count should be.
Those sensors designated offline will not be accessible with CB Live Response.
The sensorservices process on the minions may be using high CPU cycles.

Environment

CB Response Server: 6.3.0 and earlier
CB Response Sensors: All Versions

Cause

The sensor services on the minions are maxing out the sensor checkins per second.

Resolution

Upgrade to CB Server 6.3.1 which contains a fix for issue "CB-25430"
Update/add these values to /etc/cb/cb.conf on every node

SensorCheckingDelayRate=25                  // SensorCheckingDelayRate is not spelled incorrectly and does contain a "g"
MaxSensorCheckinDelaySec=600
MinSensorCheckinDelaySec=300

Additional Information

Although the sensors are considered "offline" by the master, these sensors will continue to upload data that will be accessible to all the CB functions including reporting, alerts, etc. (other than CB Live Response).

Feedback

thumb_up Yes

thumb_down No