EDR: Selecting an Event From the Alerts Page Results in a 404 Page
Article ID: 291929
Updated On:
Products
Carbon Black EDR (formerly Cb Response)
Issue/Introduction
From the Detect -> Triage Alerts page, when selecting an Alert that would normally take you to the Process Analysis page, the resulting page is a custom 404 page:
Environment
- EDR Server: All versions
Cause
Process events for the Alert has already been purged or moved to cold storage due to data retention settings configured in /etc/cb/cb.conf.
Resolution
- This is functioning as designed.
- Consult with Technical Support or Professional services if data retention levels are too low
Additional Information
- EDR should only store data back to 30 days. Any longer retention can have adverse affects to performance within the environment.
- The EDR Server will routinely purge process events based on any of the four MaxEventStore parameters configured. Since the process event the alert is tied to has already been purged, a 404 is expected when attempting to navigate to it.
- For a cluster with more than one event node, purge time could be different. So there is possibility to see 404 on younger process but being able to view older processes, if two process documents are located on different nodes.
- Default retention values
-
5.2.x, 5.3.x
-
|
Value
|
Function
|
cb.conf Default
|
Product Default
|
|
MaxEventStoreSizeInPercent
|
Prevents running out of disk space. Oldest Solr documents purge when this percentage of disk space is met.
|
70
|
70
|
|
MaxEventStoreSizeInMB
|
Limits the amount of space solr can take. Oldest Solr documents purge when Solr reaches this amount of disk space. Same functionality as MaxEventStoreSizeInPercent.
|
#1000000 (commented)
|
0 (Unlimited)
|
|
MaxEventStoreSizeInDocs
|
Decreases query time. Oldest Solr documents purge when this document count limit is met.
|
60
|
120
|
|
MaxEventStoreDays
|
Balances long running process retention and normal retention. Purges long running processes. 5.2.6+ purges modulestore files if binary file sharing with Alliance is disabled.
|
30
|
0(unlimited)
|
-
6.x and Higher
|
Value
|
Function
|
cb.conf Default
|
Product Default
|
|
MaxEventStoreDays
|
Decreases query time. When cores reach this age they are unmounted/deleted
|
30
|
0 (Unlimited)
|
|
MaxEventStoreSizeInMB
|
Limits the amount of space solr can take. Oldest Solr core is unmounted/deleted when Solr reaches this amount of disk space. Same functionality as MaxEventStoreSizeInPercent.
|
#1000000 (commented)
|
0 (Unlimited)
|
|
MaxEventStoreSizeInPercent
|
Prevents running out of disk space. Oldest Solr core is unmounted/deleted.
|
90
|
90
|
|
SolrTimePartitioningActivePartitions
|
Controls the number of actively searched Solr partitions that remain in the query index.
|
30
|
30
|
-
If KeepAllModuleFiles is set to true, this overrides the MaxEventStoreDays purge setting for modulestore
-
AlwaysDeleteColdPartitions determines if the core is unmounted (warm to cold core) or deleted
Feedback
Yes
No
Powered by
