Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

Not receiving Watchlist events with Environment Proxy configured

Not receiving Watchlist events with Environment Proxy configured

Version
This solution applies to all Carbon Black versions.


Issue

With a proxy configured either through an environment variable or the /etc/environment file, Watchlist results are not present.

 

Symptoms

The following messages may be observed in the /var/log/cb/job-runner/job-runner.log logs:

Apr 16 09:24:05 [4041] <err>  [watchlist_search] Watchlist searcher thread exception

Traceback (most recent call last):

[...]

SolrClientHttpError: HTTP Failure Code 404

Apr 16 09:24:05 [4041] <info>  [watchlist_search] finished watchlist_search -- duration: 0:00:01.551853

Or:

Apr  6 03:20:18 [14541] <err>  [watchlist_search] HTTP 502 from solr: cannotconnect; response: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">…

Or:

Apr  7 04:40:17 [29525] <err>  [watchlist_search] Searcher query/tag exception in watchlist entry Newly Loaded Modules (1)

URLError: <urlopen error [Errno 67] request timed out>


Cause

A Proxy is configured at the OS level through the /etc/environment file or an environment variable. How to determine which:

 

Environment Variable:

set |grep -i proxy

http_proxy=127.0.0.1

/etc/environment File:

cat /etc/environment |grep -i proxy

http_proxy=127.0.0.1


Solution

Remove the proxy setting from your environment. An OS level proxy is not necessary as Carbon Black allows for configuration to use a proxy to access external resources such as Yum, or the Alliance Server.

 

For configuring a proxy to access Carbon Black Yum repository, follow the solution: How to access the Carbon Black Yum repository through a proxy.

 

For configuring a proxy to access the Carbon Black Alliance server, refer to the file /etc/cb/cb.conf and the Proxy parameters:

# Alliance Proxy Settings

# Specifies the proxy to be used for internet access

#AllianceClientProxyUrl=http://127.0.0.1:3128

 

# Specify the type of authentication the proxy uses. Supported types are

# either "basic" or "ntlm"

#AllianceClientProxyAuth=basic

 

# Specify the username and password if your proxy requires them.

# Use the script at /usr/share/cb/cbpasswd with the --encryptpasswd

# flag to generate an encrypted version of the proxy password for use

# with the AllianceClientProxyEncryptedPassword field or else

# use AllianceClientProxyPlaintextPassword for unencrypted passwords

#AllianceClientProxyUsername=None

#AllianceClientProxyPlaintextPassword=None

#AllianceClientProxyEncryptedPassword=None

Labels (1)
Was this article helpful? Yes No
No ratings
Article Information
Author:
Creation Date:
‎05-11-2015
Views:
906
Contributors