Version
All versions
Issue
Logs within /var/log/cb/audit (banning.log, isolation.log and live-response.log) are not being written with recent information.
Symptoms
The recent activity can be found in the rotated log and not in the current log as expected (for example in live-response.log-20160117 instead of in live-response.log)
Cause
File handles remain open through log rotation and are not properly refreshed, resulting in new data being written to the rotated logs.
Solution
This issue will be fixed in a future release of Carbon Black Enteprise Response and will be documented in the release notes with the following code: CB-8610.
As a workaround for the issue you can perform the following:
In the /etc/logrotate.d/cb file, change the audit section to this:
/var/log/cb/audit/*.log
{
copytruncate
compress
weekly
dateext
delaycompress
missingok
}
This will keep the file handle on the current log, copy the content to a rotated one and then truncate the current log file.
New data will be then written to the current log since the file handle will not change.