EDR: How to Verify if Ingress Filtering is Working
search cancel

EDR: How to Verify if Ingress Filtering is Working

book

Article ID: 291117

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

How to verify that ingress filter is dropping events as expected

Environment

  • EDR Server: All Versions

Resolution

  1. Verify via Cbstats for a rough check
    /usr/share/cb/cbstats -m SensorUpload.events,SensorUpload.events_written 5
    1. Check the ratio of events (ev) over events_written (ev_wrtn) to confirm events are being dropped
  2. Verify via logs for a verbose confirmation to see matched events
    1. Open the datastore logging configuration for editing (this can be done on any node with events). /etc/cb/datastore/logback.conf.xml
    2. Look for the following
      <logger name="com.carbonblack.cbfs.ingress_search.event_processors.ingress_filters" level="INFO" />
    3. Change from INFO to DEBUG
      <logger name="com.carbonblack.cbfs.ingress_search.event_processors.ingress_filters" level="DEBUG" />
    4. Tail the datastore debug log for a live view. Restart of services is not required
      tail -f /var/log/cb/datastore/debug.log | grep -i "REJECTING"
    5. After verification, turn the level back to INFO to avoid filling storage

Additional Information