EDR: How to Find All Sensors With DuplicateIDs
Article ID: 291097
Updated On:
Products
Carbon Black EDR (formerly Cb Response)
Issue/Introduction
Query to find all duplicated sensors with the same sensorID values
Environment
- EDR Server: 5.X and Higher
Resolution
Run the following query from each node of a cluster to find sensor IPs checking in with the same IDs:
- On versions before 7.5
zcat -f /var/log/cb/nginx/access*|sed -rn 's/^\:\:ffff\:([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}) .+submit2\/([0-9]+) .+$/\2,\1/p'|sort|uniq|tee sensor_ip|awk -F, '{print $1}'|sort|uniq -c|sort -nr
2. On versions above 7.5
zcat -f /var/log/cb/nginx/access*|sed -rn 's/^([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}) .+submit2\/([0-9]+) .+$/\2,\1/p'|sort|uniq|tee sensor_ip|awk -F, '{print $1}'|sort|uniq -c|sort -nr
Additional Information
Information can be piped to a file for review with the following example given, and replace the nodeID with each Minion/Node number to track where the file is ran from:
zcat -f /var/log/cb/nginx/access*|sed -rn 's/^\:\:ffff\:([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}) .+submit2\/([0-9]+) .+$/\2,\1/p'|sort|uniq|tee sensor_ip|awk -F, '{print $1}'|sort|uniq -c|sort -nr > duplicate_sensors_nodeID.txt
Feedback
Yes
No
Powered by
