Access official resources from Carbon Black experts
Cb Response 5.x
Single process ran before MaxEventStoreDays retention settings in /etc/cb/cb.conf
Note: To collect the last_server_update field from a process document follow the Process Document section of this guide:
Query Documents Via Curl (SSH/Terminal)
A feed or watchlist hit on the processes sets the last_server_update to the current time. We want to verify that you have enough time to analyze the feed hit before the process document gets purged. This is to help reduce instances of a 404 error described here:
Selecting an event from the Alerts page results in a 404 page
Note: In rare occurrences this process can happen multiple times, extending the the retention of this document well beyond standard retention periods
The product is working as designed. When the document doesn't receive any hits till MaxEventStoreDays is reached, it will be purged.
Copyright © 2005-2023 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.