Ingestion Stops with Windows Event Log Enabled and App Control Agent Installed
search cancel

Ingestion Stops with Windows Event Log Enabled and App Control Agent Installed

book

Article ID: 426465

calendar_today

Updated On:

Products

Carbon Black EDR

Issue/Introduction

Ingestion stops shortly after enabling the windows event log capture where an App Control agent is or has been installed on one or more machines

  • /var/log/cb/datastore/debug.log has the following warn message 
    Exception sending data to Solr, retrying every 5 seconds...
org.apache.solr.client.solrj.impl.HttpSolrClient$RemoteSolrException: Error from server at http://serveraddress:8080/solr/cbauth: ERROR: [doc=random-doc-id] unknown field 'host_id'

Environment

  • Carbon Black EDR Server: 7.9.0
  • Carbon Black Application Control Agent: All Versions

Cause

Endpoints with EDR sensor and AppC installed prior to 7.5.0 have remnants of parity_host_id in the sensor_registrations table.  

Resolution

Carbon Black EDR Server Advisory for a known Issue in 7.9.0 release

  1. Disable the Windows Event Log feature or upgrade to 7.9.1 when available. 
  2. Restart the EDR server service. How to Start, Stop and Restart EDR Application Services
Powered by Wolken Software