Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

Cb Response: Linux / Mac OSX sensors showing offline and reporting 404s on the backend

Cb Response: Linux / Mac OSX sensors showing offline and reporting 404s on the backend

Environment

  • Cb Response 6.x

  • Linux All Versions
  • Mac Os All Versions

Symptoms

  • Sensors are showing as offline in the UI

  • /var/log/cb/nginx/error.log shows several errors like this

    2018/06/19 19:47:13 [error] 46021#46021: *13939 open() "/var/www/cb/data/eventlog/reserve/22" failed (2: No such file or directory), client: ::ffff:192..., server: , request: "GET /data/eventlog/reserve/22 HTTP/1.1", host: "192...:8443"
  • /var/log/cb/nginx/access.log shows several get requests with a 404 response

    [19/Jun/2018:19:51:13 -0700(0.000)] "GET /data/eventlog/reserve/22 HTTP/1.1" 404 166 "-" "" ">-" "-" "-"
  • sensor_comms.log shows the following HRESULT: 0x80190194

  • Multihome settings are enabled so the UI uses a different port from the backend

Cause

This occurs when a sensor has already registered with the server and the port number used to check in is changed from the back-end port to the front-end port. This can happen if the SensorBackendServer URL in /var/lib/cb/sensorsettings.ini is manually edited or if the URL is edited in the group settings from the UI.

Resolution

Since the sensor cannot check into the server, updating the URL for the group in the UI will not push the change to affected endpoints already.  To fix this, all affected endpoints will need to have the SensorBackendServer field updated to the proper port. If there are a large number of endpoints affected, this can be done using some sort of scripting tool. For fewer endpoints, you can simply re-install the sensor using a package containing the right URL and port.

To update manually or via a tool

    1. Edit /var/lib/cb/sensorsettings.ini

    2. Update SensorBackendServer to use the sensor backend port.

      Typically this will be changing the port from 8443 to 433. It will match the settings in your multihome configuration.

    3. Restart the sensor
      1. Linux
        service cbdaemon restart
      2. OSX
    1. sudo launchctl unload /Library/LaunchDaemons/com.carbonblack.daemon.plistsudo launchctl
    2. load /Library/LaunchDaemons/com.carbonblack.daemon.plist

Additional Notes

This will only occur when the sensor is attempting to connect through the UI port. This is because Response accepts this as a request, but processes it incorrectly and attempts to access files in the wrong location. For reference, the sensor server configuration uses a file called cb.server.sensor to locate the right files.

Related Content

Cb Response: Windows sensors showing offline and reporting 404s on the backend

Labels (1)
Tags (1)
Was this article helpful? Yes No
0% helpful (0/1)
Article Information
Author:
Creation Date:
‎06-22-2018
Views:
1313
Contributors