Environment
EDR: 6.2.x and Higher
Symptoms
Log files are missing from the /var/log/cb/audit directory
Cause
A configuration file could be missing data
Resolution
Possible Resolutions
- Copy the /etc/rsyslog.conf configuration from a working server
- Check that EnableAuditLogsToEvents=True is in the cb.conf file
- Check for missing lines from /etc/rsyslog.d/cb-coreservices.conf file
- Confirm that the /etc/rsyslog.d/cb-logrotate.conf has settings for the missing log files