EDR: How to create a symbolic link to move the /var/log/cb data location
search cancel

EDR: How to create a symbolic link to move the /var/log/cb data location

book

Article ID: 290912

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

Explain how to create a symbolic link in the Linux OS to relocate the log file data for the EDR product to a different location without breaking the product functionality.

Environment

  • EDR: All Versions
  • Linux OS: All Supported Versions

Resolution

  1. Stop the server/cluster: EDR: How to Restart Server Services
  2. Make a location for the logs directory on the disk you want to move the data
    • Example: mkdir -p /apps/var/log
  3. Move the existing logs:
    • mv /var/log/cb /apps/var/log/cb
  4. Create a symbolic link:
    • ln -s /apps/var/log/cb /var/log/cb
  5. Modify the cb-redis configuration to explicitly point to the new log location.
    • Edit the file /etc/cb/redis.conf
    • Look for the line "logfile /var/log/cb/redis/redis.log"
    • Change the path to point to the new log file location for this service; using the example shown here it would be changed to:
      • logfile /apps/var/log/cb/redis/redis.log
    • Save the file
  6. Modify the cb-rabbitmq configuration to explicitly point to the new log location.
    • Edit the file /etc/cb/rabbitmq/rabbitmq-env.conf.
    • Look for the line "RABBITMQ_LOG_BASE=/var/log/cb/rabbitmq"
    • Change the path to point to the new log file location for this service; using the example shown here it would be changed to:
      • RABBITMQ_LOG_BASE=/apps/var/log/cb/rabbitmq
    • Save the file
  7. Start the server/cluster: EDR: How to Restart Server Services

Additional Information

  • Logging should continue to work as expected at new location, but if not, open a Support case with Carbon Black
  • Log rotation still works correctly, and does rotate the logs and delete old ones (advanced system time and invoked log rotate, confirmed older logs were gone as expected)
  • CBDiag utility can still pull logs from the symlinked location
  • The cb-redis and cb-rabbitmq services, which are based on third-party software, are apparently unable to write log files to a symlink, and must be configured to explicitly use the new location (see instructions above). However, their log files can still be accessed using the symlink.
Powered by Wolken Software