logo

Knowledge Base

Access official resources from Carbon Black experts

IMPORTANT ANNOUNCEMENT: On May 6, 2024, Carbon Black User eXchange (UeX) and Case Management will move to a new platform!
The Community will be in read-only mode starting April 19th, 7:00 AM PDT. Check out the blog post!
You will still be able to use the case portal to create and interact with your support cases until the transition, view more information here!

EDR: Will sensor record new events after disk filled up due to event submission failure to server?

EDR: Will sensor record new events after disk filled up due to event submission failure to server?

Environment

  • EDR sensor: All supported versions

Question

EDR: Will sensor record new events after disk filled up due to event submission failure to server?

Answer

No, new events would be dropped and the old events are kept.

Additional Notes

  • Once a sensor gets a 200 for reserve calls, it submits the data to the server via a submit2 call and deletes the event data locally.
  • Once a sensor gets a 400/500 error from the server where it can't submit, it will hold the events to disk up until the set storage size in the sensor groups, 2% of disk or 500MB by default, whichever it hits first.
  • New events would be dropped and the old ones are kept if sensor cannot submit to server.

Related Content


Labels (1)
Labels:
Tags (2)
Was this article helpful? Yes No
No ratings
Article Information
Author:
CB_Support
Creation Date:
‎03-30-2022
Views:
228
Contributors
logo

Copyright © 2005-2023 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.