Version
All versions

Issue

Logs within /var/log/cb/audit (banning.log, isolation.log and live-response.log) are not being written with recent information.

Symptoms
The recent activity can be found in the rotated log and not in the current log as expected (for example in live-response.log-20160117 instead of in live-response.log)

Cause
File handles remain open through log rotation and are not properly refreshed, resulting in new data being written to the rotated logs.

Solution

This issue will be fixed in a future release of Carbon Black Enteprise Response and will be documented in the release notes with the following code: CB-8610.

As a workaround for the issue you can perform the following:

In the /etc/logrotate.d/cb file, change the audit section to this:

/var/log/cb/audit/*.log

{

    copytruncate

    compress

    weekly

    dateext

    delaycompress

    missingok

}

This will keep the file handle on the current log, copy the content to a rotated one and then truncate the current log file.

New data will be then written to the current log since the file handle will not change.