EDR: How to enable event cold storage
search cancel

EDR: How to enable event cold storage

book

Article ID: 287931

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

How to enable to event cold storage for later viewing

Environment

  • EDR Server: 6.1.x and above (Formerly CB Response)

Resolution

  1. Log into the server via ssh/terminal
  2. Open /etc/cb/cb.conf
  3. Find the value "AlwaysDeleteColdPartitions=" and set to false
  4. Restart the server services: https://community.carbonblack.com/t5/Knowledge-Base/CB-Response-How-to-restart-server-services/ta-p/41294

Additional Information

  • For clustered environments, the configuration needs to be added to the minions/nodes as well before service restart
  • If "AlwaysDeleteColdPartitions=" does not exist, add it anywhere as a line in the cb.conf file
  • Cold cores should be moved off the Response data drive to ensure warm core retention has enough space
Powered by Wolken Software