Just Published! Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

EDR: Partial or Truncated Messages using Syslog/Event Forwarder

EDR: Partial or Truncated Messages using Syslog/Event Forwarder

Environment

  • EDR Server: All Versions
  • CB Event Forwarder: All Versions

Symptoms

  • Messages being sent to from the EDR server to the SIEM are incomplete or truncated.
  • You will see a similar message in /var/log/cb/notifications/cb-all-notifications.log. Specifically noting the gap between <warning> and the next line starting with "..."
    <warning>...f6b242fb5' alliance_score_tor='30' alliance_link_tor='http://www..org' alliance_updated_srstrust='2014-10-07T00:29:07.000Z' alliance_updated_tor='2016-12-9:T13:15:13.000Z' alliance_data_tor='TOR-Node-XXX.XX.XX.XX'

Cause

  • By default, MaxSyslogSenderMessageSize is set to the default value of rsyslog.

Resolution

  1. Use an editor to modify /etc/cb/cb.conf. Find the following configuration and set the values to 4096. Make sure to remove the comment (#)
    MaxSyslogSenderMessageSize=
    
    MaxCbLoggingMessageSize=
  2. Add the following parameter to the top of the /etc/rsyslog.conf under the "#### Modules ####" section:
    $MaxMessageSize 4096
  3. Restart the Service:
    1. Syslog
      service rsyslog restart
    2. Event Forwarder
      initctl start cb-event-forwarder
      
      initctl stop cb-event-forwarder
  4. Restart EDR Services - EDR: How to Restart Server Services

Additional Notes

Be sure to also check on message rate limiting in the this document - EDR: Syslog Notifications are being sent due to rate limiting

Related Content


Labels (1)
Was this article helpful? Yes No
100% helpful (1/1)
Article Information
Author:
Creation Date:
‎11-29-2018
Views:
1268
Contributors