Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

EDR: How To Purge CbEvent (Process) Data in 6.x and Higher

EDR: How To Purge CbEvent (Process) Data in 6.x and Higher

Environment

  • EDR Server: 6.x and Higher

Objective

How to purge event process data from the Solr database in EDR 6.x and higher.


Resolution

 Warning: This will irrecoverably remove data from the server. After removing this data, users will receive a 404 page when attempting to view Alerts and process data will no longer appear in Process Search

 
  1. Determine which core should be removed, typically the oldest core
curl "http://127.0.0.1:8080/solr/admin/cores?action=STATUS&wt=json&indexInfo=false&indent=true" | grep name
  1. Manually unload the core from the command line where <core_name> is the core to be unloaded
curl "http://localhost:8080/solr/admin/cores?action=UNLOAD&core=<core_name>"
 
  1. Verify the core is unloaded, substituting <core_name> with the name used above
curl "http://localhost:8080/solr/admin/cores?action=STATUS&indexInfo=true&indent=true&wt=json"  | grep <core_name>
  1. Once the core is unloaded, remove the <core_name> files
rm -rf /var/cb/data/solr5/cbevents/<core_name>

Additional Notes

  • If Solr is not running, cores can be removed without manually unloading the file first
  • Unloading a core but skipping step 4 and leaving it in the directory will mean that Solr will not purge this data. Leaving an unloaded core on disk can greatly reduce retention
  • The cbevents data is held in /var/cb/data/solr5/cbevents/ as 3 day rollover cores by default. If the default storage path has been changed, the path in step 4 will need to be altered to match.

Related Content


Labels (1)
Tags (2)
Was this article helpful? Yes No
No ratings
Article Information
Author:
Creation Date:
‎02-25-2019
Views:
2421
Contributors