Knowledge Base

Yes

Version
All versions

Issue

Logs within /var/log/cb/audit (banning.log, isolation.log and live-response.log) are not being written with recent information.

Symptoms
The recent activity can be found in the rotated log and not in the current log as expected (for example in live-response.log-20160117 instead of in live-response.log)

Cause
File handles remain open through log rotation and are not properly refreshed, resulting in new data being written to the rotated logs.

Solution

This issue will be fixed in a future release of Carbon Black Enteprise Response and will be documented in the release notes with the following code: CB-8610.

As a workaround for the issue you can perform the following:

In the /etc/logrotate.d/cb file, change the audit section to this:

/var/log/cb/audit/*.log
{
    copytruncate
    compress
    weekly
    dateext
    delaycompress
    missingok
}

This will keep the file handle on the current log, copy the content to a rotated one and then truncate the current log file.

New data will be then written to the current log since the file handle will not change.

Knowledge Base

Recent activity is not written to current logs under /var/log/cb/audit

Recent activity is not written to current logs under /var/log/cb/audit

EDR

Knowledge Base

Recent activity is not written to current logs under /var/log/cb/audit

Recent activity is not written to current logs under /var/log/cb/audit

EDR

Thank you for your feedback.

Thank you for your feedback.