- EDR Server: 6.x and Higher
This issue is caused when rsyslog rate limiting is enabled
Note: the changes below are external to Carbon Black and it is up to the customer to consider if this should be done or not.
- Disable rate limiting by modifying /etc/rsyslog.conf to:
- Restart the Rsyslog service
service rsyslog restart
- Setting $SystemLogRateLimitInterval to 0 turns off rate limiting entirely
- Setting $SystemLogRateLimitBurst to 1000 increases the threshold of the number of messages for rate limiting very high