logo

Knowledge Base

Access official resources from Carbon Black experts

Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

EDR: What data is lost if the primary node in a cluster need to be restored?

EDR: What data is lost if the primary node in a cluster need to be restored?

Environment

  • EDR Server: 7.x
  • Cluster

Question

What data will be lost if a primary node in a cluster must be restored if all the other nodes are running?

Answer

  • In an eventless primary node
    • Any changes in the UI would be lost, i.e., watchlists, new sensor groups, etc.
    • Any binary files and metadata uploaded since the backup
  • In a primary node with events all of the above as well as process events would be lost

Additional Notes

  • Some event data can be copied over from the minions. Cbmodules is synced over to the minions, so that can be copied over to the primary node. Any binaries themselves from the downtime would be lost, but metadata would still be there. New sensors seeing binary would upload the files.
  • If building a new primary node, copy certs from the minions. This should allow sensors to still check into the server, but would check in under the default group.

Labels (1)
Labels:
Tags (2)
Was this article helpful? Yes No
No ratings
Article Information
Author:
CB_Support
Creation Date:
‎04-19-2022
Views:
259
Contributors
logo

Copyright © 2005-2023 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.