Following the upgrade to the 7.5.0 Windows sensor, some environments have reported issues where sensors successfully check in with the Primary Node but fail to offload event data to Minion (Secondary) nodes. This results in 403 Forbidden errors appearing in Nginx logs and the accumulation of local event backlogs on the endpoint.

Carbon Black Sensor 7.5.0-win 

Infrastructure: Primary/Master node with one or more Minion/Secondary nodes

The root cause is a bug in a connection fallback mechanism introduced in version 7.5.0.

1. Faulty Fallback Logic: During a transient network or DNS glitch, the sensor attempts to maintain connectivity by falling back to the LastKnownGoodServerName (typically the Primary Node).

2. Incorrect Routing: While this fallback is appropriate for registrations or check-ins, the bug incorrectly applies it to event data calls (e.g., /data/eventlog/reserve). These calls are forced to the Primary Node, which rejects the traffic with a 403 Forbidden error because the Primary node does not accept event data intended for Minions.

3. Connection Persistence: Once the sensor establishes this incorrect fallback connection, it continues to reuse it indefinitely until the sensor service is restarted.

4. Hosts File Corruption: Faulty routine may write an empty data block to the hosts file, further complicating local resolution.

Upcoming Fix will be present in the GA version 7.5.1-win.