CB Response: Concurrent cb-event-forwarders file output error

search cancel

CB Response: Concurrent cb-event-forwarders file output error

book

Article ID: 292085

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

/etc/cb/intergrations/cb-event-forwarder/cb-event-forwarder.log contains:

time="2019-07-28T03:21:16Z" level=error msg="ERROR during output: rename /var/cb/data/event-forwarder/event-forwarder /var/cb/data/event-forwarder/event-forwarder.2019-07-28T03:21:05.179: no such file or directory"

Environment

CB Response OnPrem: 6.x
CB Event Forwarder: 3.x

Cause

Both cb-event-forwarders are attempting to use the same default temp file.

Resolution

Modify the output configuration of the 2nd event-forwarder to use a unique temp file:

splunkout=/var/cb/data/event-forwarder-02:https://http-inputs-companyname.splunkcloud.com:443/services/collector/event

Additional Information

CB Response Cloud does not support multiple event-forwarders.

Feedback

thumb_up Yes

thumb_down No