Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

EDR: How To Preserve Event Forwarder Log on Restart

EDR: How To Preserve Event Forwarder Log on Restart

Environment

  • EDR Server:  All Supported Versions
  • CB Event-Forwarder:  3.7 and Below

Objective

To preserve cb-event-forwarder.log after a restart of Event Forwarder for troubleshooting.

Resolution

Note: As of version 3.8, logs are preserved automatically
  1.  Edit file:  /etc/init/cb-event-forwarder.conf
change:
exec /usr/share/cb/integrations/event-forwarder/cb-event-forwarder /etc/cb/integrations/event-forwarder/cb-event-forwarder.conf &> /var/log/cb/integrations/cb-event-forwarder/cb-event-forwarder.log
to:
exec sh /usr/share/cb/integrations/event-forwarder/cb-event-forwarder.sh
  1. Create a new file:  /usr/share/cb/integrations/event-forwarder/cb-event-forwarder.sh, with the following content:
#!/bin/bash
cat /var/log/cb/integrations/cb-event-forwarder/cb-event-forwarder.log >> /var/log/cb/integrations/cb-event-forwarder/cb-event-forwarder.log.backup
exec /usr/share/cb/integrations/event-forwarder/cb-event-forwarder /etc/cb/integrations/event-forwarder/cb-event-forwarder.conf &> /var/log/cb/integrations/cb-event-forwarder/cb-event-forwarder.log
  1. Stop and Start the Event Forwarder to enable the change:
initctl stop cb-event-forwarder
initctl start cb-event-forwarder

Additional Notes

Existing log will be preserved on restart as cb-event-forwarder.log.backup under /var/log/cb/integrations/cb-event-forwarder/

Related Content


Labels (1)
Tags (2)
Was this article helpful? Yes No
No ratings
Article Information
Author:
Creation Date:
‎09-09-2020
Views:
529
Contributors