Raw Events Are Not Forwarding With Cb-Event-Forwarder When Enabled.
search cancel

Raw Events Are Not Forwarding With Cb-Event-Forwarder When Enabled.

book

Article ID: 369956

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

Raw event are not being forwarded to the SIEM when log files show the event types are subscribed.

Environment

  • Cb-Event-Forwarder: 3.8.3 and lower
  • EDR Server: All Supported Versions

Cause

Older versions of the cb-event-forwarder are not able to decompress the compressed raw protobufs of newer sensor versions. 

Resolution

Please upgrade to the latest version of the cb-event-forwarder

  1. Stop the event forwarder services
    systemctl stop cb-event-forwarder
  2. Use yum to update
    yum update cb-event-forwarder
  3. Start the event forwarder services
    systemctl stop cb-event-forwarder