logo

Knowledge Base

Access official resources from Carbon Black experts

IMPORTANT ANNOUNCEMENT: On May 6, 2024, Carbon Black User eXchange (UeX) and Case Management will move to a new platform!
The Community will be in read-only mode starting April 19th, 7:00 AM PDT. Check out the blog post!
You will still be able to use the case portal to create and interact with your support cases until the transition, view more information here!

EDR: Disk Full Due to JSON Files

EDR: Disk Full Due to JSON Files

Environment

  • EDR Server: 6.X

Symptoms

  • Disk space taken .json* files accumulating in /var/cb/data/ directory
  • Data retention is low

Cause

Cb-event-forwarder is set to output as JSON files to space limited volume.

Resolution

Currently there is no mechanism to clean up these JSON files on EDR product. Suggest using another volume with enough space, or create a cron job to purge these files. 

Additional Notes

  • Output type is defined in /etc/cb/integrations/event-forwarder/cb-event-forwarder.conf.
  • Add the lines below to the bottom of the '/etc/cb/cron/cb.cron.template' file to automatically remove the
    'event_bridge_output.json' files. The following will keep one week of 'event_bridge_output.json*' files by running once at midnight and
    removing any files modified over 7 days: 
    # Remove old event-forwarder files that were modified over 7 days ago. Runs once a night at midnight 
    0 0 * * * root find /var/cb/data -iname "event_bridge_output.json*" -mtime +7 -exec rm -f {} \; 
  • A restart of the services will be needed for changes to take affect:
    EDR: How to Restart Server Services

Related Content


Labels (1)
Labels:
Was this article helpful? Yes No
No ratings
Article Information
Author:
CB_Support
Creation Date:
‎09-10-2018
Views:
1718
Contributors
logo

Copyright © 2005-2023 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.