EDR: Sensors generating 403 reserve errors in the master server's nginx access.log
search cancel

EDR: Sensors generating 403 reserve errors in the master server's nginx access.log

book

Article ID: 291134

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

  • /var/log/cb/nginx/access.log will show entries like this:
1.2.3.140 - - [15/Dec/2017:00:27:07 -0500(0.000)] "GET /data/eventlog/reserve/128644 HTTP/1.1" 403 427 "-" "" ">127.0.0.1:9000" "-" "-" 
1.2.3.159 - - [15/Dec/2017:00:27:33 -0500(0.001)] "GET /data/eventlog/reserve/141757 HTTP/1.1" 403 427 "-" "" ">127.0.0.1:9000" "-" "-" 
1.2.3.159 - - [15/Dec/2017:00:27:33 -0500(0.001)] "GET /data/storefile/reserve/141757 HTTP/1.1" 200 0 "-" "" ">127.0.0.1:9000" "-" "-" 
1.2.3.105 - - [15/Dec/2017:00:27:33 -0500(0.000)] "GET /data/eventlog/reserve/129634 HTTP/1.1" 403 427 "-" "" ">127.0.0.1:9000" "-" "-"
  • It looks like after the sensors makes another register call, the condition clears and the sensor starts sending data back to the correct minion.
  • 403 is returned for the event log reserve call as the master does not have a events core in solr. 


 

Environment

  • EDR Sensors: All 6.1.x and 6.2.1 sensors
  • EDR Servers:  All versions

Cause

Windows 6.1.x sensor can get confused and start sending /data/storefile/reserve and /data/eventlog/reserve calls to an eventless master which is invalid. 
 

Resolution

CB-17170 is fixed in sensor version 6.2.2 and later versions.
 

Additional Information

This behavior may cause the messages  
worker_connections are not enough, reusing connections
Powered by Wolken Software