Just Published! Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

Recent activity is not written to current logs under /var/log/cb/audit

Recent activity is not written to current logs under /var/log/cb/audit

Version
All versions


Issue

Logs within /var/log/cb/audit (banning.log, isolation.log and live-response.log) are not being written with recent information.

Symptoms
The recent activity can be found in the rotated log and not in the current log as expected (for example in live-response.log-20160117 instead of in live-response.log)

Cause
File handles remain open through log rotation and are not properly refreshed, resulting in new data being written to the rotated logs.

Solution

This issue will be fixed in a future release of Carbon Black Enteprise Response and will be documented in the release notes with the following code: CB-8610.

As a workaround for the issue you can perform the following:

In the /etc/logrotate.d/cb file, change the audit section to this:

/var/log/cb/audit/*.log

{

    copytruncate

    compress

    weekly

    dateext

    delaycompress

    missingok

}

This will keep the file handle on the current log, copy the content to a rotated one and then truncate the current log file.

New data will be then written to the current log since the file handle will not change.

Labels (1)
Was this article helpful? Yes No
No ratings
Article Information
Author:
Creation Date:
‎04-04-2016
Views:
744
Contributors