EDR: Sensor Debug Logs are Filling Up the Drive
Article ID: 291152
Updated On:
Products
Carbon Black EDR (formerly Cb Response)
Carbon Black Hosted EDR (formerly Cb Response Cloud)
Issue/Introduction
Disk space is filling up because of log files in C:\Windows\CarbonBlack\DebugLogs.
Environment
- EDR Windows Sensor: 7.2.1 and 7.2.2
Cause
Certain events are logged frequently to the debug log files and this event is causing the logs to grow large.
Resolution
This issue was resolved with the release of Sensor version 7.3.0.
Additional Information
- The previous logs may need to be deleted to clear up the disk space as the upgrade to 7.3 won't delete the old logs
- It is safe to delete the log files in C:\Windows\CarbonBlack\DebugLogs
- Enable EDR Tamper Protection on 7.2.1 and higher Windows sensors, to stop the hooking of any A/V products to the sensor.
- As a workaround, the Sensor can be prevented from writing debug log files by creating the following registry key in HKLM\Software\CarbonBlack\config
Type : REG_DWORD Name: DebugLevel Value: Default 0
Feedback
Yes
No
Powered by
