EDR: v7.1.0 Linux Sensors Going Offline
Article ID: 291874
Updated On:
Products
Carbon Black EDR (formerly Cb Response)
Issue/Introduction
- Linux Sensor suddenly go offline
- High CPU usage for cbdaemon process
Environment
- EDR Linux Sensor: 7.1.0
Cause
Known issue related to file descriptor leak with the v7.1.0 Linux Sensor (EA-21139).
Resolution
Issue has been addressed in the 7.1.1 Linux Sensor Release (CB-37984: Sensor Offline)
Additional Information
- EA-21139 - Sensors go offline due to leak in file descriptors
- Possible workarounds:
- Increase cb-enterprise file handler limit:
a. Open to modify '/etc/cb/cb.conf' on Primary, and all Secondary servers if in a Cluster
b. Locate tag/value below, make suggested change:
b. Locate tag/value below, make suggested change:
CbFileDescriptorLimit=80000
change to:
CbFileDescriptorLimit=100000
c. Restart EDR services:
https://community.carbonblack.com/t5/Knowledge-Base/EDR-How-to-Restart-Server-Services/ta-p/41294
- And/or create cron job to restart cbdaemon:
https://community.carbonblack.com/t5/Knowledge-Base/EDR-How-To-Create-a-Cron-Job-to-Restart-cbdaemon/ta-p/113976
Feedback
Yes
No
Powered by
