EDR EventForwarder: Certain event types are not sending to S3 bucket
Article ID: 291062
Updated On:
Products
Carbon Black EDR (formerly Cb Response)
Issue/Introduction
- Event Forwarder is not sending all selected event types despite seeing subscriptions in the /var/log/cb/integrations/cb-event-forwarder/cb-event-forwarder.log
- Example of subscriptions :
2015/12/07 12:57:26 Diagnostics available via HTTP at http://cbtest:33706/debug/vars 2015/12/07 12:57:26 Starting AMQP loop 2015/12/07 12:57:26 Connecting to message bus... 2015/12/07 12:57:26 Subscribed to watchlist.hit.# 2015/12/07 12:57:26 Subscribed to watchlist.storage.hit.# 2015/12/07 12:57:26 Subscribed to feed.ingress.hit.# 2015/12/07 12:57:26 Subscribed to feed.storage.hit.# 2015/12/07 12:57:26 Subscribed to feed.query.hit.# 2015/12/07 12:57:26 Subscribed to alert.watchlist.hit.# 2015/12/07 12:57:26 Subscribed to ingress.event.process 2015/12/07 12:57:26 Subscribed to ingress.event.procstart 2015/12/07 12:57:26 Subscribed to ingress.event.netconn 2015/12/07 12:57:26 Subscribed to ingress.event.procend 2015/12/07 12:57:26 Subscribed to ingress.event.childproc 2015/12/07 12:57:26 Subscribed to ingress.event.moduleload 2015/12/07 12:57:26 Subscribed to ingress.event.module 2015/12/07 12:57:26 Subscribed to ingress.event.filemod 2015/12/07 12:57:26 Subscribed to ingress.event.regmod
Environment
- EDR Server: All Supported Versions
- EDR EventForwarder: All Supported Versions
Cause
- Misconfiguration in /etc/cb/integrations/event-forwarder/cb-event-forwarder.conf or /etc/cb/cb.conf file(s)
Resolution
- Ensure that the appropriate event selections are made in /etc/cb/integrations/event-forwarder/cb-event-forwarder.conf file :
- Example (note: not all configurations will be the same) :
events_raw_sensor=ingress.event.procstart,ingress.event.netconn,ingress.event.processblock,ingress.event.emetmitigation events_watchlist=watchlist.hit.process,watchlist.hit.binary,watchlist.storage.hit.process,watchlist.storage.hit.binary events_feed=feed.ingress.hit.process,feed.ingress.hit.binary,feed.ingress.hit.host,feed.storage.hit.process,feed.storage.hit.binary,feed.query.hit.process,feed.query.hit.binary events_binary_observed=binaryinfo.observed,binaryinfo.host.observed,binaryinfo.group.observed events_binary_upload=binarystore.file.added
- Ensure the proper settings are made in the /etc/cb/cb.conf file :
- As an example, if only binarystore.file.adds are being seen in the S3 bucket, verify the following settings in the cb.conf file, particularly DataStoreBroadCastEventTypes:
# If this property is not empty, it will enable publishing of incoming events from # sensors onto RabbitMQ PUBSUB enterprise bus (see RabbitMQ (cb-rabbitmq service) # settings in this file). The value of this property consists of one or more of the # following comma-separated event types that should be published: # * procstart (or process) # * procend # * childproc # * moduleload # * module # * filemod # * regmod # * netconn # If you wish to subscribe for ALL of the above events, "*" value can be specified. # Each event type will be published to its own topic: ingress.event.<event type> # DatastoreBroadcastEventTypes=procstart,netconn
- As another example, if Raw Events are missing verify EnableRawSensorDataBroadcast=True
See this article for more information on enabling RawEvents.
See the Related Content below for more information on the Event Forwarder
Additional Information
For raw starting events ingress.event.procstart can be used in place of ingress.event.process
Feedback
Yes
No
Powered by
