Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

EDR: How to Temporarily Disable a Minion During OS Level Outage

EDR: How to Temporarily Disable a Minion During OS Level Outage

Environment

  • EDR Server: All Versions

Objective

How to temporarily disable a minion that has been taken down due to an OS level outage

Resolution

1) open for editing /etc/cb/cluster.conf

2) Comment out all lines for the problematic minion
#[Minion X]
#Host=
#User=
#HasEvents
#ReadOnly

3) Adjust the NodeCount= line down by one

4) Save the file

5) Delete the following to correct the RabbitMQ starting order
rm -rf /var/cb/data/rabbitmq/mnesia
rm -f /var/cb/.erlang.cookie

Additional Notes

  • All sensors that report to that minion node will be reassigned to other nodes in a load balanced way. Once the minion server is back up and running, you can revert the configuration to add the minion back in. Sensors will again be reassigned. Unfortunately due to load balancing some sensors that were not previously assigned to this minion could now be assigned. 
  • If the downed minion is replaced with a new machine, please use the /usr/share/cb/cbcluster add-node tool instead

Labels (1)
Tags (2)
Was this article helpful? Yes No
No ratings
Article Information
Author:
Creation Date:
‎11-22-2023
Views:
104
Contributors