logo

Knowledge Base

Access official resources from Carbon Black experts

Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

EDR: Partial or Truncated Messages using Syslog/Event Forwarder

EDR: Partial or Truncated Messages using Syslog/Event Forwarder

Environment

  • EDR Server: All Versions
  • CB Event Forwarder: All Versions

Symptoms

  • Messages being sent to from the EDR server to the SIEM are incomplete or truncated.
  • You will see a similar message in /var/log/cb/notifications/cb-all-notifications.log. Specifically noting the gap between <warning> and the next line starting with "..." 
    <warning>...f6b242fb5' alliance_score_tor='30' alliance_link_tor='http://www..org' alliance_updated_srstrust='2014-10-07T00:29:07.000Z' alliance_updated_tor='2016-12-9:T13:15:13.000Z' alliance_data_tor='TOR-Node-XXX.XX.XX.XX'

Cause

  • By default, MaxSyslogSenderMessageSize is set to the default value of rsyslog.

Resolution

  1. Use an editor to modify /etc/cb/cb.conf. Find the following configuration and set the values to 4096. Make sure to remove the comment (#) 
    MaxSyslogSenderMessageSize=

MaxCbLoggingMessageSize=
  2. Add the following parameter to the top of the /etc/rsyslog.conf under the "#### Modules ####" section: 
    $MaxMessageSize 4096
  3. Restart the Service:
    1. Syslog 
      service rsyslog restart
    2. Event Forwarder 
      initctl start cb-event-forwarder

initctl stop cb-event-forwarder
  4. Restart EDR Services - EDR: How to Restart Server Services

Additional Notes

Be sure to also check on message rate limiting in the this document - EDR: Syslog Notifications are being sent due to rate limiting

Related Content


Labels (1)
Labels:
Was this article helpful? Yes No
100% helpful (1/1)
Article Information
Author:
CB_Support
Creation Date:
‎11-29-2018
Views:
1679
Contributors
logo