Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

EDR: Alerts not being generated for Watchlists.

EDR: Alerts not being generated for Watchlists.

Environment

  • EDR Server: 6.2.3

Symptoms

  • Watchlist hits are reported on the Watchlist page, however events are not appearing in the Triage Alerts page.
  • /var/log/cb/datastore directory contains large amount of debug.log#######.tmp files

Cause

 Known issue with the datastore.debug.log files, to be addressed in future release. 
 

Resolution

  1. Open the /etc/cb/cron/cb.cron.template file to edit 
  2. Set cronjob to remove .tmp files from '/var/log/cb/datastore/' older than 7 days:
    0 0 * * * root find /var/log/cb/datastore -name *.tmp -mtime +7 -delete

Additional Notes

  • Troubleshooting reveals an inordinate amount of 'datastore.debug.log' files:
    find /var/log/cb/datastore/ -mtime +1 -name 'debug.log*' | wc -l

Labels (1)
Was this article helpful? Yes No
No ratings
Article Information
Author:
Creation Date:
‎09-18-2018
Views:
1253
Contributors