Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

Single Process Document Older Than Retention Settings

Single Process Document Older Than Retention Settings

Version

Cb Response 5.x

Issue

Single process ran before MaxEventStoreDays retention settings in /etc/cb/cb.conf

Symptoms

  1. Process Analysis page is showing last update from x months ago beyond settings in MaxEventStoreDays.
  2. The last_server_update date in Solr Process Document is fewer days than MaxEventStoreDays retention setting.
    Note: To collect the last_server_update field from a process document follow the Process Document section of this guide:
    Query Documents Via Curl (SSH/Terminal)

Cause

A feed or watchlist hit on the processes sets the last_server_update to the current time. We want to verify that you have enough time to analyze the feed hit before the process document gets purged. This is to help reduce instances of a 404 error described here:
Selecting an event from the Alerts page results in a 404 page

Note: In rare occurrences this process can happen multiple times, extending the the retention of this document well beyond standard retention periods

Solution

The product is working as designed. When the document doesn't receive any hits till MaxEventStoreDays is reached, it will be purged.

Labels (1)
Was this article helpful? Yes No
No ratings
Article Information
Author:
Creation Date:
‎01-09-2017
Views:
586
Contributors