Environment

• EDR Server: All Versions
• CB Event Forwarder: All Versions

Symptoms

• Messages being sent to from the EDR server to the SIEM are incomplete or truncated.
• You will see a similar message in /var/log/cb/notifications/cb-all-notifications.log. Specifically noting the gap between <warning> and the next line starting with "..."

  <warning>...f6b242fb5' alliance_score_tor='30' alliance_link_tor='http://www..org' alliance_updated_srstrust='2014-10-07T00:29:07.000Z' alliance_updated_tor='2016-12-9:T13:15:13.000Z' alliance_data_tor='TOR-Node-XXX.XX.XX.XX'

Cause

• By default, MaxSyslogSenderMessageSize is set to the default value of rsyslog.

Resolution

1. Use an editor to modify /etc/cb/cb.conf. Find the following configuration and set the values to 4096. Make sure to remove the comment (#)

   MaxSyslogSenderMessageSize=
   
   MaxCbLoggingMessageSize=

2. Add the following parameter to the top of the /etc/rsyslog.conf under the "#### Modules ####" section:

   $MaxMessageSize 4096

3. Restart the Service:
   1. Syslog

      service rsyslog restart

   2. Event Forwarder

      initctl start cb-event-forwarder
      
      initctl stop cb-event-forwarder

4. Restart EDR Services - EDR: How to Restart Server Services

Additional Notes

Related Content