EDR: Events from newer alerts produce 404s
search cancel

EDR: Events from newer alerts produce 404s

book

Article ID: 291881

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

  • Loading an event from a recent alert returns a 404 page
  • Endpoints associated with the Alerts do not show up in the Sensors page
  • MaxEventStore* settings in cb.conf retain data beyond the date of the alert
  • SensorLookupInactiveFilterDays is set in /etc/cb/cb.conf

Environment

  • EDR (formerly Cb Response) Server: All Versions

Cause

This is a known issue with the ID CB-21843

Resolution

  • SensorLookupInactiveFilterDays will need to be match the maximum number of days event data is retained
  • For Server 7.2 and Above
    1. Go to Sensors > All Sensors and select "Sensor Display Settings"
    2. In the pop-up set the value to the desired maximum event retention in days and "Save"
  • For Server 7.1 and Below
  1. Open /etc/cb/cb.conf in a text editor
  2. Determine the max retention of sensor events
  3. Set SensorLookupInactiveFilterDays to match 
  4. Save and exit cb.conf
  5. Restart services - https://community.carbonblack.com/t5/Knowledge-Base/Cb-Response-How-to-restart-services/ta-p/41294

Additional Information

  • A value of 0 for the setting will set an unlimited number of days
  • Maximum length of event retention is set by the MaxEventStoreDays setting in /etc/cb/cb.conf
  • Increasing the sensor display settings will not affect how license limits are calculated
Powered by Wolken Software