Event Forwarder stops sending events to SIEM due to TCP Timeout. 
search cancel

Event Forwarder stops sending events to SIEM due to TCP Timeout. 

book

Article ID: 419441

calendar_today

Updated On:

Products

Carbon Black EDR

Issue/Introduction

Event Forwarder stops sending events to SIEM due to tcp timeout. 

  • /var/log/cb/integrations/cb-event-forwarder/event-forwarder.log has the following message when attempting to send the event file.  
    dial tcp: i/o timeout

Environment

  • Carbon Black EDR: All Versions
  • Carbon Black Event Forwarder: All Versions

Cause

Unable to resolve hostname

Resolution

  1. Verify the FQDN is resolvable for the SIEM: 
    nslookup <fqdn>
  2. Verify which DNS server is unable to resolve the address
    1. Check for DNS servers being used by the server. 
      cat /etc/resolv.conf
    2. Run nslookup with each DNS server.   
      nslookup <fqdn> <IP_of_dns_server_entry_from_resolve.conf>
  3. Options:
    1. Fix the DNS servers routing to this FQDN with the proper IP.
    2. Comment out bad DNS entries in /etc/resolv.conf and add a known good DNS server entry.
    3. Update the event forwarder configuration to utilize the IP of the destination. 
Powered by Wolken Software