Environment
- Carbon Black Cloud: Current Version
- Carbon Black Cloud API: Current Version
- Data Forwarder: Endpoint.Event
Symptoms
All of the endpoint.event Data Forwarder includes and excludes values are missing/removed from the Carbon Black Cloud Console after adding a new value to the Data Forwarder and saving.
Cause
If a duplicate or blank 'NAME' value is added to the Data Forwarder configuration, the save action will remove the old configuraiton and try to reapply the whole configuraiton in bulk and throw a HTTP 400 error and zero out the configuration in the Carbon Black Cloud Console.
Resolution
Current workaround is to validate that the 'NAME' value being added is unique and not blank for all additional queries added to the includes or excludes fields.
Additional Notes
- Best practices suggest that you backup the Data Forwarder configurations via the API to allow re-installation of the "lask known good" config.
- Adding new values via the Carbon Black Cloud console has input validation that will prevent duplicate/empty NAME label entries and is the recommended method
Related Content