Does the cb-event-forwarder delete or cache the events when the network connectivity is lost to the SIEM?

• Carbon Black EDR: All Versions
• Cb-Event-Forwarder: All Versions

The event forwarder will cache the data until the connection is established again. It will attempt to re-establish the connection every minute and then start submitting the data again when the connection is successful. 

• The event forwarder writes a temporary file with a batch of events to /var/cb/data/event-forwarder. Once submitted successfully the temporary file is removed. During the connection loss these files will remain until connection is established again and removed as they are successfully sent. 
• If there is a concern of a long standing connection issue, disk space can become full depending on how the system is partitioned. 
• If the event forwarder service is stopped while the EDR services are running and ingesting data, this data will be lost. There is no way to resend the data missed during this time through the event forwarder.