Raw Events Are Not Forwarding With Cb-Event-Forwarder When Enabled.
book
Article ID: 369956
calendar_today
Updated On:
Products
Carbon Black EDR (formerly Cb Response)
Issue/Introduction
Raw event are not being forwarded to the SIEM when log files show the event types are subscribed.
Environment
- Cb-Event-Forwarder: 3.8.3 and lower
- EDR Server: All Supported Versions
Cause
Older versions of the cb-event-forwarder are not able to decompress the compressed raw protobufs of newer sensor versions.
Resolution
Please upgrade to the latest version of the cb-event-forwarder
- Stop the event forwarder services
systemctl stop cb-event-forwarder
- Use yum to update
yum update cb-event-forwarder
- Start the event forwarder services
systemctl stop cb-event-forwarder
Feedback
thumb_up
Yes
thumb_down
No