Environment

• EDR (formerly Cb Response) Server: All Versions

Symptoms

• Loading an event from a recent alert returns a 404 page
• Endpoints associated with the Alerts do not show up in the Sensors page
• MaxEventStore* settings in cb.conf retain data beyond the date of the alert
• SensorLookupInactiveFilterDays is set in /etc/cb/cb.conf

Cause

Resolution

• SensorLookupInactiveFilterDays will need to be match the maximum number of days event data is retained
• For Server 7.2 and Above
  1. Go to Sensors > All Sensors and select "Sensor Display Settings"
  2. In the pop-up set the value to the desired maximum event retention in days and "Save"
• For Server 7.1 and Below

1. Open /etc/cb/cb.conf in a text editor
2. Determine the max retention of sensor events
3. Set SensorLookupInactiveFilterDays to match 
4. Save and exit cb.conf
5. Restart services - EDR: How to Restart Server Services

Additional Notes

• A value of 0 for the setting will set an unlimited number of days
• Maximum length of event retention is set by the MaxEventStoreDays setting in /etc/cb/cb.conf
• Increasing the sensor display settings will not affect how license limits are calculated

Related Content

• EDR: Selecting an Event From the Alerts Page Results in a 404 Page