Access official resources from Carbon Black experts
Advanced Search
IMPORTANT ANNOUNCEMENT: On May 6, 2024, Carbon Black User eXchange (UeX) and Case Management will move to a new platform!
The Community will be in read-only mode starting April 19th, 7:00 AM PDT. Check out the blog post!
You will still be able to use the case portal to create and interact with your support cases until the transition, view more information here!
Cb Response: 6.1.7 Linux Sensor Eventlog Filling System
Environment
Cb Response Linux sensor: 6.1.7
Symptoms
Sensor is continuously writing to the /var/lib/cb/eventlogs, even when it is over the quota and log size limit, which is by default 1GB or 1% of the filesystem.
Cause
This is a known issue on the sensor side when the server is under heavy load - CB-21615
Resolution
This issue is fixed in sensor version 6.1.9
As a workaround to prevent Event log growth
Set Sensor Data Suppression Levels to High for the sensor group
Make sure the sensor is able to connect to the server to submit data
If event logs still grow to an unmanagable size, monitor and remove large Event logs
Stop cbdaemon
service cbdaemon stop
Remove the eventlog file from /var/lib/cb/eventlogs
Start cbdaemon
service cbdaemon start
Additional Notes
Data in event logs have not been sent to the Cb Response server. Removing an event log will result in a loss of that event data.