logo

Knowledge Base

Access official resources from Carbon Black experts

IMPORTANT ANNOUNCEMENT: On May 6, 2024, Carbon Black User eXchange (UeX) and Case Management will move to a new platform!
The Community will be in read-only mode starting April 19th, 7:00 AM PDT. Check out the blog post!
You will still be able to use the case portal to create and interact with your support cases until the transition, view more information here!

EDR: Why did an Alert Fire for an Older Event?

EDR: Why did an Alert Fire for an Older Event?

Environment

  • EDR Server: All Versions
  • EDR Sensor: All Versions

Question

Why did an alert fire for an older event?

Answer

Sensor was not connected to the server between the period of the event and the time the alert was triggered

Additional Notes

  • The sensor core driver stores up to 12k in memory for events. Events then get rolled to disk during the stop of services. During this, if the memory limit or storage limit are hit, newer events will be dropped.
  • Utilize the /var/log/cb/nginx/access.log to check when sensor first started to check in. The following command can help. sensorid can be found in the sensor's details page. 
    zcat /var/log/cb/nginx/access.log | grep '/<sensorid> '
  • Compare the GMT time to firewall logs

Related Content


Labels (1)
Labels:
Tags (2)
Was this article helpful? Yes No
No ratings
Article Information
Author:
CB_Support
Creation Date:
‎03-29-2019
Views:
441
Contributors
logo

Copyright © 2005-2023 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.