EDR: How to Verify if Ingress Filtering is Working
book
Article ID: 291117
calendar_today
Updated On:
Products
Carbon Black EDR (formerly Cb Response)
Issue/Introduction
How to verify that ingress filter is dropping events as expected
Resolution
- Verify via Cbstats for a rough check
/usr/share/cb/cbstats -m SensorUpload.events,SensorUpload.events_written 5
- Check the ratio of events (ev) over events_written (ev_wrtn) to confirm events are being dropped
- Verify via logs for a verbose confirmation to see matched events
- Open the datastore logging configuration for editing (this can be done on any node with events). /etc/cb/datastore/logback.conf.xml
- Look for the following
<logger name="com.carbonblack.cbfs.ingress_search.event_processors.ingress_filters" level="INFO" />
- Change from INFO to DEBUG
<logger name="com.carbonblack.cbfs.ingress_search.event_processors.ingress_filters" level="DEBUG" />
- Tail the datastore debug log for a live view. Restart of services is not required
tail -f /var/log/cb/datastore/debug.log | grep -i "REJECTING"
- After verification, turn the level back to INFO to avoid filling storage
Feedback
thumb_up
Yes
thumb_down
No