logo

Knowledge Base

Access official resources from Carbon Black experts

Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

EDR: Syslog notifications are not being sent due rate limiting

EDR: Syslog notifications are not being sent due rate limiting

Environment

  • EDR Server: 6.x and Higher

Symptoms

  • Watchlist hit notifications or Event not sent to Syslog
  • Watchlist hit notifications or Event sent and truncated
  • Error in /var/log/messages: 
    Apr 29 14:30:07 localhost rsyslogd-2177: imuxsock begins to drop messages from pid <cb-enterprise PID> due to rate-limiting
  • The PID seen in /var/log/messages error is the same as the cb-enterprise PID. Verify: 
    ps -ef |grep cb-enterprise

Cause

This issue is caused when rsyslog rate limiting is enabled


Resolution

Note: the changes below are external to Carbon Black and it is up to the customer to consider if this should be done or not.
  1. Disable rate limiting by modifying /etc/rsyslog.conf to: 
    $SystemLogRateLimitInterval 0

$SystemLogRateLimitBurst 1000
  2. Restart the Rsyslog service 
    service rsyslog restart

Additional Notes

  • Setting $SystemLogRateLimitInterval to 0 turns off rate limiting entirely
  • Setting $SystemLogRateLimitBurst to 1000 increases the threshold of the number of messages for rate limiting very high

Related Content


Labels (1)
Labels:
Was this article helpful? Yes No
100% helpful (1/1)
Article Information
Author:
jnaiga
Creation Date:
‎12-09-2015
Views:
1562
Contributors
logo

Copyright © 2005-2023 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.