EDR: How to reset a Linux Sensor ID
search cancel

EDR: How to reset a Linux Sensor ID

book

Article ID: 292103

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

Reset a Linux sensor's ID.

Environment

  • EDR (formerly CB Response) Sensor: All Supported Versions

  • Linux OS: All Supported Versions

Resolution

 
  1. On the endpoint itself, delete the config file containing the sensor ID 
    • 6.1 and lower:
sudo rm /var/lib/cb/config.ini
    • 6.2 and higher: 
sudo rm /var/opt/carbonblack/response/config.ini
  1. Restart the sensor. This will trigger the sensor to re-register with the server and receive a new ID 
    • sudo service cbdaemon restart

Additional Information


When a sensor re-registers to the server, the new sensor ID will not relate to events previously associated with the endpoint. For situations where data needs to be reviewed from before and after the sensor ID change, search for the endpoint via the hostname field.

 

Powered by Wolken Software