Environment

• EDR Server: All Versions

Objective

Resolution

1. Verify via Cbstats for a rough check

   /usr/share/cb/cbstats -m SensorUpload.events,SensorUpload.events_written 5

   1. Check the ratio of events (ev) over events_written (ev_wrtn) to confirm events are being dropped
2. Verify via logs for a verbose confirmation to see matched events
   1. Open the datastore logging configuration for editing (this can be done on any node with events). /etc/cb/datastore/logback.conf.xml
   2. Look for the following

      <logger name="com.carbonblack.cbfs.ingress_search.event_processors.ingress_filters" level="INFO" />

   3. Change from INFO to DEBUG

      <logger name="com.carbonblack.cbfs.ingress_search.event_processors.ingress_filters" level="DEBUG" />

   4. Tail the datastore debug log for a live view. Restart of services is not required

      tail -f /var/log/cb/datastore/debug.log | grep -i "REJECTING"

   5. After verification, turn the level back to INFO to avoid filling storage

Additional Notes

• Hit_rate is also visible via API calls to the specific ingress filter. https://developer.carbonblack.com/reference/enterprise-response/6.1/ingress-filter
• Extra spaces when adding filtering paths can prevent them from working correctly
• In EDR Versions below 7.5 this line may not exist and may need to be added

Related Content