logo

Knowledge Base

Access official resources from Carbon Black experts

IMPORTANT ANNOUNCEMENT: On May 6, 2024, Carbon Black User eXchange (UeX) and Case Management will move to a new platform!
The Community will be in read-only mode starting April 19th, 7:00 AM PDT. Check out the blog post!
You will still be able to use the case portal to create and interact with your support cases until the transition, view more information here!

Recent activity is not written to current logs under /var/log/cb/audit

Recent activity is not written to current logs under /var/log/cb/audit

Version
All versions


Issue

Logs within /var/log/cb/audit (banning.log, isolation.log and live-response.log) are not being written with recent information.

Symptoms
The recent activity can be found in the rotated log and not in the current log as expected (for example in live-response.log-20160117 instead of in live-response.log)

Cause
File handles remain open through log rotation and are not properly refreshed, resulting in new data being written to the rotated logs.

Solution

This issue will be fixed in a future release of Carbon Black Enteprise Response and will be documented in the release notes with the following code: CB-8610.

As a workaround for the issue you can perform the following:

In the /etc/logrotate.d/cb file, change the audit section to this:

/var/log/cb/audit/*.log

{

    copytruncate

    compress

    weekly

    dateext

    delaycompress

    missingok

}

This will keep the file handle on the current log, copy the content to a rotated one and then truncate the current log file.

New data will be then written to the current log since the file handle will not change.

Labels (1)
Labels:
Was this article helpful? Yes No
No ratings
Article Information
Author:
obonshtein
Creation Date:
‎04-04-2016
Views:
1011
Contributors
logo

Copyright © 2005-2023 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.