Error "Details for this tree node are unavailable" on Process Analysis page for Linux sensor event

search cancel

Error "Details for this tree node are unavailable" on Process Analysis page for Linux sensor event

book

Article ID: 407749

calendar_today

Updated On:

Products

Carbon Black Cloud Enterprise EDR Carbon Black Cloud Endpoint Standard Carbon Black Cloud Workload

Issue/Introduction

Clicking on the process details for a Linux sensor alert event can open an empty Process Analysis page with the red error message "Details for this tree node are unavailable" and the page looks like this:

Environment

Carbon Black Cloud Console: Current Version
Carbon Black Cloud Linux Sensor: All Supported Versions
Linux OS: All Supported Versions

Cause

The issue is the wrong timestamp ("device_timestamp": "1601-01-01T00:00:00Z") causes the data to get assigned an incorrect process_guid, which the CBC backend uses to organize processes. SOLR will take events with wrong timestamp processes and they will fall into same process_guid, so the CBC backend can't collapse or making sense of the data.

Resolution

The device timestamp on the Linux endpoint needs to be corrected and updated/synced with a valid NTP source, so that incoming events get a unique timestamp and create unique process_guid values.

Feedback

thumb_up Yes

thumb_down No