Environment
- EDR Server: 7.x and Higher
- EDR Windows Sensor: 6.x and Higher
- Microsoft Windows OS: All Supported Versions
- Custom certificate for sensor to server communication enabled
Symptoms
- Sensors grow event and binary backlog because they are sending event data to the event-less Master node of a cluster
- C:\Windows\CarbonBlack\SensorComms.log shows the the wrong IP/FQDN for the minion node that the sensor is supposed to be sending events and binaries.
Cause
After enabling the custom sensor communication certificate setting, the following two registry keys were set with wrong IP/FQDN for the minion node they are supposed to report their data:
HKEY_LOCAL_MACHINE\SOFTWARE\CarbonBlack\config\SensorBackendServerName
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\carbonblackk\SensorBackendServerName
Resolution
- On the affected endpoint, open the Registry Editor
- Remove the following registry keys:
HKEY_LOCAL_MACHINE\SOFTWARE\CarbonBlack\config\SensorBackendServerName
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\carbonblackk\SensorBackendServerName
- Restart the Carbon Black Sensor service
- Validate that event data is getting submitted successfully to the minion node
- Open a command prompt
- Run the following:
sc control carbonblack 201
- Check the C:\Windows\CarbonBlack\Diagnostics\SensorComms.log for successful eventlog submits to the correct IP/FQDN of the assigned minion node.
Additional Notes
- Examples of successful eventlog and binary(storefile) submits:
2020-03-06 18:32:39 | https://<minion node>:443/data/eventlog/reserve/2 | 0x00000000 | 0 | 16 | 0 | 0 | 500 | 0
2020-03-06 18:32:39 | https://<minion node>:443/data/eventlog/submit2/2 | 0x00000000 | 0 | 203 | 105888 | 0 | 500 | 509
2020-03-06 18:32:51 | https://<minion node>:443/data/storefile/check/2 | 0x00000000 | 0 | 31 | 82 | 72 | 500