Cb Response: 6.1.7 Linux Sensor Eventlog Filling System

Cb Response: 6.1.7 Linux Sensor Eventlog Filling System

Environment

  • Cb Response Linux sensor: 6.1.7

Symptoms

  • Sensor is continuously writing to the /var/lib/cb/eventlogs, even when it is over the quota and log size limit, which is by default 1GB or 1% of the filesystem.

Cause

  • This is a known issue on the sensor side when the server is under heavy load - CB-21615

Resolution

  • This issue is fixed in sensor version 6.1.9
  • As a workaround to prevent Event log growth
    • Set Sensor Data Suppression Levels to High for the sensor group
    • Make sure the sensor is able to connect to the server to submit data
  • If event logs still grow to an unmanagable size, monitor and remove large Event logs
    1. Stop cbdaemon
      • service cbdaemon stop
    2. Remove the eventlog file from /var/lib/cb/eventlogs 
    3. Start cbdaemon
      • service cbdaemon start

Additional Notes

  • Data in event logs have not been sent to the Cb Response server. Removing an event log will result in a loss of that event data.

Related Content


Labels (1)
Was this article helpful? Yes No
No ratings
Article Information
Author:
Creation Date:
‎12-04-2018
Views:
336
Contributors