EDR: Sensor Health Error "Event Source Not Connected"

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

Sensor health shows "Event Source Not Connected" with a health score of 50/100.
Restart of sensor services temporarily resolves the issue.

The following can be seen in the cbdaemon.log:

BaseEventCollector.cpp:1190: CB_DRIVER_REQUEST_APPLY_FILTER failed: Bad file descriptor

Environment

EDR Server: All Supported Versions
EDR Sensor: 6.3.0 and Higher
SUSE Linux: All Supported Versions

Cause

The kernel development package is not installed on the endpoint for the version of Linux installed.

Resolution

Run the command cat /boot/config-$(uname -r) | grep CONFIG_IKHEADERS. If the result is CONFIG_IKHEADERS=m or CONFIG_IKHEADERS=y, then no header package needs to be installed.
You can check the running kernel version by running the following command:
```
$ uname -r
```
For CentOS, RHEL, Oracle RHCK or Amazon Linux
1. To check whether the kernel headers are installed (any user can run this):
```
$ yum list kernel-devel-$(uname -r)
```
2. To install the necessary kernel headers:
```
$ sudo yum install -y kernel-devel-$(uname -r)
```
3. When properly installed, the required kernel headers are located under
```
$ /usr/src/kernels/$(uname -r)/include/
```
4. If the kernel headers package cannot be found
  - Linux distributions regularly update the kernel package and might not keep the old kernel headers package in their package repos. If this happens, the easiest solution is to update the system to the latest kernel and then rerun the kernel headers install command.
  - To update the kernel to the latest version and install kernel headers, run the following commands (this requires a reboot):
```
$ sudo yum update kernel kernel-devel

$ reboot
```

For SUSE or OpenSUSE

To check whether the kernel headers are installed (any user can run this):

$ zypper se -s kernel-default-devel | grep $(uname -r | sed “s/-default//”) $ zypper se -s kernel-devel | grep $(uname -r | sed “s/-default//”)

The output should be like the following, where the i+ signifies that the package is installed. If the left-hand column is v or is blank, the package must be installed.
```
$ i+ kernel-default-devel | package | 4.12.14-lp150.12.25.1 | x86_64 | openSUSE-Leap-15.0-Update
```

To install the necessary kernel headers:

$ zypper install --oldpackage kernel-default-devel=$(uname -r | sed “s/-default//”)

$ zypper install --oldpackage kernel-devel=$(uname -r | sed “s/-default//”)

When properly installed, the required kernel headers are located under

$/usr/src/linux-$(uname -r) | sed “s/-default//”)/include/ | grep -f

For Debian
1. To check whether the kernel headers are installed (any user can run this):
```
apt list linux-headers-$(uname -r)
```
2. To install the necessary kernel headers:
```
sudo apt install linux-headers-$(uname -r)
```
3. When properly installed, the required kernel headers are located under
```
/usr/src/linux-headers-/$(uname -r)/include/
```
For Ubuntu
1. To check whether the kernel headers are installed (any user can run this):
```
apt list linux-headers-$(uname -r)
```
2. To install the necessary kernel headers:
```
sudo apt install linux-headers-$(uname -r)
```
3. When properly installed, the required kernel headers are located under
```
/usr/src/linux-headers-$(uname -r)/include/
```

Additional Information

Prior to installing the sensor, the underlying BPF implementation requires the Linux kernel headers for the active kernel to be installed. This is relevant if you install the sensor on BPF system without using the install script.
You may see errors in the cbdaemon.log around the distribution service not being able to reach out to to the repo URL to get the kernel headers itself. The sensor does try to get this info during install and tries checking again.