Environment
- EDR Server: 6.x and Higher
Symptoms
Cause
This issue is caused when rsyslog rate limiting is enabled
Resolution
Note: the changes below are external to Carbon Black and it is up to the customer to consider if this should be done or not.
- Disable rate limiting by modifying /etc/rsyslog.conf to:
$SystemLogRateLimitInterval 0
$SystemLogRateLimitBurst 1000
- Restart the Rsyslog service
service rsyslog restart
Additional Notes
- Setting $SystemLogRateLimitInterval to 0 turns off rate limiting entirely
- Setting $SystemLogRateLimitBurst to 1000 increases the threshold of the number of messages for rate limiting very high
Related Content