EDR: no longer receiving cb-event-forwarder events

search cancel

EDR: no longer receiving cb-event-forwarder events

book

Article ID: 292183

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

events are no longer being received by SIEM application
The following error msg is present in /var/log/cb/integrations/cb-event-forwarder/cb-event-forwarder.log

time="2020-07-28T01:14:28Z" level=info msg="Lost connection to <ip or dns record>:<port>. Will try to reconnect at 2020-07-28 01:14:33.27134625 +0000 UTC m=+714423.744364816."
time="2020-07-28T01:14:28Z" level=error msg="ERROR during output: dial tcp <ip>:<port>: connect: connection refused"
time="2020-07-28T01:14:28Z" level=error msg="File output error; exiting immediately."

Environment

EDR Server (formerly CB Response): All Versions
CB Event Forwarder: Version 3.7.0

Cause

This is due to a known issue fixed in 3.7.1 - CB-32264.

Resolution

Upgrade to CB Event Forwarder 3.7.1 or higher

Feedback

thumb_up Yes

thumb_down No