Environment

• EDR Console: 5.x and Higher (formerly CB Response)

Symptoms

Cause

Resolution

1. Verify that EDR Alliance Systems are operational: https://status.carbonblack.com
2. If Alliance is reporting as All Systems Operational, then restart EDR services
3. If still receiving 400/500/600s errors following a service restart
   1. Upload redis errors to the alliance server via the cbpost command:

      • redis-cli -n 1 hgetall AllianceCommStatus > /tmp/comms_troubleshooting-`hostname`_"`date`".txt && /usr/share/cb/cbpost /tmp/comms_troubleshooting*

   2. Upload PostgreSQL comm errors to our alliance server via the cbpost command:

      • psql -d cb -p 5002 -c "SELECT * FROM allianceclient_comm_history ORDER BY timestamp DESC;" > /tmp/alliancecommhistory.out && /usr/share/cb/cbpost /tmp/alliancecommhistory.out

   3. Run this to make an Alliance connection attempt, if there is an error please post the output to the case:

      • curl --cert /etc/cb/certs/carbonblack-alliance-client.crt --key /etc/cb/certs/carbonblack-alliance-client.key https://api.alliance.carbonblack.com:443/api/v1/feeds/ > /tmp/alliance_comm_test.out && /usr/share/cb/cbpost /tmp/alliance_comm_test.out

4. Upload Cbdiags to Alliance: CB Response: Generate cbdiag for on-prem server
5. Update the case when the uploads have been completed

Additional Notes

• Warning: Logs must be collected within 30 minutes of a communication error appearing for relevant information to be collected
• This curl command verifies that the server doesn't get a certificate issue when connecting to an Alliance Feed
• To find only feeds that have an error, run the following

  redis-cli -n 1 hgetall AllianceCommStatus | sed -s 'N;/200,/!P;D'

Related Content