Environment
- EDR Server: Version 7.4+
- Event Forwarder: 3.7.4-1
Symptoms
- An Event type is selected (events_binary_observed=ALL) but events are not appearing in the JSON file.
- Event Forwarder JSON files contain process entries with fields not in alphabetical order (default).
- Any problems with Event Forwarder 3.7.4-1 that was installed prior to Jul 2021.
- Fields missing, for example process events are missing timestamps.
Cause
Issues with some Event Forwarder 3.7.4-1 installs prior to July 2021 caused a variety of odd issues.
Resolution
1. A reinstall of Event Forwarder 3.7.4-1 has reportedly fixed most problems. Remember to enable CbOpenSource.repo.
systemctl stop cb-event-forwarder
yum clean all
yum reinstall cb-event-forwarder
systemctl start cb-event-forwarder
