Security Connect 2021 is coming Jun 3. Register for free today!

Cb Response: Windows sensors showing offline and reporting 404s on the backend

Cb Response: Windows sensors showing offline and reporting 404s on the backend

Environment

  • Cb Response: 6.x

  • Windows: All Versions

Symptoms

  • Sensors are showing as offline in the UI

  • /var/log/cb/nginx/error.log shows several errors like the following:

    2018/06/19 19:47:13 [error] 46021#46021: *13939 open() "/var/www/cb/data/eventlog/reserve/22" failed (2: No such file or directory), client: ::ffff:192..., server: , request: "GET /data/eventlog/reserve/22 HTTP/1.1", host: "192...:8443"
  • /var/log/cb/nginx/access.log shows several get requests with a 404 response

    [19/Jun/2018:19:51:13 -0700(0.000)] "GET /data/eventlog/reserve/22 HTTP/1.1" 404 166 "-" "" ">-" "-" "-"
  • SensorComms.log shows the following HRESULT: 0x80190194

  • Multihome settings are enabled so the UI uses a different port from the backend

Cause

This occurs when a sensor has already registered with the server and the port number used to check in is changed from the back-end port, typically 443, to the front-end port, typically 8443. This can happen if the SensorBackendServer URL in the registry under /HKEY_LOCAL_MACHINE/SOFTWARE/CarbonBlack/config is manually edited or if the URL is edited in the group settings from the UI.

Resolution

Since the sensor cannot check into the server, updating the URL for the group in the UI will not push the change to affected endpoints.  To fix this, all affected endpoints will need to have the SensorBackendServer registry key updated to the proper port. If there are a large number of endpoints affected, this can be done via something like SCCM. For fewer endpoints, you can simply re-install the sensor using a package containing the right URL and port.

To update via SCCM or another tool

  1. Update the registry key associated with the checkin URL:

    /HKEY_LOCAL_MACHINE/SOFTWARE/CarbonBlack/config/SensorBackendServer

    Typically this will be changing the port from 8443 to 433. It will match the settings in your multihome configuration.

  2. Restart the sensor by executing the following command in a Command Prompt run as Administrator.
    1. sc stop carbonblack
    2. sc stop carbonblackk
    3. sc start carbonblack

Additional Notes

This will only occur when the sensor is attempting to connect through the UI port. This is because Response accepts this as a request, but processes it incorrectly and attempts to access files in the wrong location. For reference, the sensor server configuration uses a file called cb.server.sensor to locate the right files.

Related Content

Cb Response: Linux / MacOS sensors showing offline and reporting 404s on the backend

Labels (1)
Tags (1)
Was this article helpful? Yes No
No ratings
Article Information
Author:
Creation Date:
‎06-21-2018
Views:
962
Contributors