Knowledge Base

Yes

Environment

Carbon Black Cloud Sensor: 2.11 and newer
Linux: All Supported Versions

Question

Why is event_collector no longer loaded in kernel on 2.11+ sensor?

Answer

EEDR support for modern Linux distributions was introduced in 2.10.0. ES support for the same was added in 2.11.0. Both products use eBPF technology for event collection (no kernel driver needed), and it requires correct kernel headers to be installed on the system.

Additional Notes

You should now see event_collector in the output from ps aux
If the sensor reports as offline, headers will need to be installed

Knowledge Base

Carbon Black Cloud Linux Sensor: event_collector is not loaded in kernel

Carbon Black Cloud Linux Sensor: event_collector is not loaded in kernel

Environment

Question

Answer

Additional Notes

Related Content

Audit and Remediation

Carbon Black Cloud

Endpoint Standard

Enterprise EDR

Managed Detection

Prevention

Workload

Knowledge Base

Carbon Black Cloud Linux Sensor: event_collector is not loaded in kernel

Carbon Black Cloud Linux Sensor: event_collector is not loaded in kernel

Environment

Question

Answer

Additional Notes

Related Content

Audit and Remediation

Carbon Black Cloud

Endpoint Standard

Enterprise EDR

Managed Detection

Prevention

Workload

Thank you for your feedback.

Thank you for your feedback.