Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

EDR: How to Verify if Ingress Filtering is Working

EDR: How to Verify if Ingress Filtering is Working


  • EDR Server: All Versions


How to verify that ingress filter is dropping events as expected


  1. Verify via Cbstats for a rough check
    /usr/share/cb/cbstats -m,SensorUpload.events_written 5
    1. Check the ratio of events (ev) over events_written (ev_wrtn) to confirm events are being dropped
  2. Verify via logs for a verbose confirmation to see matched events
    1. Open the datastore logging configuration for editing (this can be done on any node with events). /etc/cb/datastore/logback.conf.xml
    2. Look for the following
      <logger name="com.carbonblack.cbfs.ingress_search.event_processors.ingress_filters" level="INFO" />
    3. Change from INFO to DEBUG
      <logger name="com.carbonblack.cbfs.ingress_search.event_processors.ingress_filters" level="DEBUG" />
    4. Tail the datastore debug log for a live view. Restart of services is not required
      tail -f /var/log/cb/datastore/debug.log | grep -i "REJECTING"
    5. After verification, turn the level back to INFO to avoid filling storage

Additional Notes

Related Content

Labels (1)
Tags (2)
Was this article helpful? Yes No
No ratings
Article Information
Creation Date: