This solution applies to all Carbon Black versions.
The cron jobs (from the cron tab file /etc/cron.d/cb) are not running at all. These processes provide core functionality of the product, and are necessary for tagging events for Watchlists, Feeds, collecting performance statistics, and other critical functions.
The following message may be observed in the /var/log/cron log file:
May 10 04:35:01 <My_CB_server> crond: (cb) FAILED to authorize user with PAM (Permission denied)
Note: The user referenced above is "cb", which all cron jobs run as on the system.
Root cause is due to system configuration forcing all users to use the PAM authentication module.
To workaround the PAM permission issue, add the following line to the /etc/security/access.conf file to allow the "cb" User access to the crond service. It is suggested to add it just below the line that references "root" for organizational reasons:
+ : cb : crond :0 tty1 tty2 tty3 tty4 tty5 tty6
Then restart the crond service:
service crond restart