Environment
- EDR Server: All Supported Versions
- EDR EventForwarder: All Supported Versions
Symptoms
- Event Forwarder is not sending all selected event types despite seeing subscriptions in the /var/log/cb/integrations/cb-event-forwarder/cb-event-forwarder.log
- Example of subscriptions :
2015/12/07 12:57:26 Diagnostics available via HTTP at http://cbtest:33706/debug/vars
2015/12/07 12:57:26 Starting AMQP loop
2015/12/07 12:57:26 Connecting to message bus...
2015/12/07 12:57:26 Subscribed to watchlist.hit.#
2015/12/07 12:57:26 Subscribed to watchlist.storage.hit.#
2015/12/07 12:57:26 Subscribed to feed.ingress.hit.#
2015/12/07 12:57:26 Subscribed to feed.storage.hit.#
2015/12/07 12:57:26 Subscribed to feed.query.hit.#
2015/12/07 12:57:26 Subscribed to alert.watchlist.hit.#
2015/12/07 12:57:26 Subscribed to ingress.event.process
2015/12/07 12:57:26 Subscribed to ingress.event.procstart
2015/12/07 12:57:26 Subscribed to ingress.event.netconn
2015/12/07 12:57:26 Subscribed to ingress.event.procend
2015/12/07 12:57:26 Subscribed to ingress.event.childproc
2015/12/07 12:57:26 Subscribed to ingress.event.moduleload
2015/12/07 12:57:26 Subscribed to ingress.event.module
2015/12/07 12:57:26 Subscribed to ingress.event.filemod
2015/12/07 12:57:26 Subscribed to ingress.event.regmod
Cause
- Misconfiguration in /etc/cb/integrations/event-forwarder/cb-event-forwarder.conf or /etc/cb/cb.conf file(s)
Resolution
- Ensure that the appropriate event selections are made in /etc/cb/integrations/event-forwarder/cb-event-forwarder.conf file :
- Example (note: not all configurations will be the same) :
events_raw_sensor=ingress.event.procstart,ingress.event.netconn,ingress.event.processblock,ingress.event.emetmitigation
events_watchlist=watchlist.hit.process,watchlist.hit.binary,watchlist.storage.hit.process,watchlist.storage.hit.binary
events_feed=feed.ingress.hit.process,feed.ingress.hit.binary,feed.ingress.hit.host,feed.storage.hit.process,feed.storage.hit.binary,feed.query.hit.process,feed.query.hit.binary
events_binary_observed=binaryinfo.observed,binaryinfo.host.observed,binaryinfo.group.observed
events_binary_upload=binarystore.file.added
- Ensure the proper settings are made in the /etc/cb/cb.conf file :
- As an example, if only binarystore.file.adds are being seen in the S3 bucket, verify the following settings in the cb.conf file, particularly DataStoreBroadCastEventTypes:
# If this property is not empty, it will enable publishing of incoming events from
# sensors onto RabbitMQ PUBSUB enterprise bus (see RabbitMQ (cb-rabbitmq service)
# settings in this file). The value of this property consists of one or more of the
# following comma-separated event types that should be published:
# * procstart (or process)
# * procend
# * childproc
# * moduleload
# * module
# * filemod
# * regmod
# * netconn
# If you wish to subscribe for ALL of the above events, "*" value can be specified.
# Each event type will be published to its own topic: ingress.event.<event type>
# DatastoreBroadcastEventTypes=procstart,netconn
- As another example, if Raw Events are missing verify EnableRawSensorDataBroadcast=True
See this article for more information on enabling RawEvents.
See the Related Content below for more information on the Event Forwarder
Additional Notes
For raw starting events ingress.event.procstart can be used in place of ingress.event.process
Related Content
