Version
This solution applies to all Carbon Black versions.
Issue
Following 'feed.ingress.hit.process' events, the subsequent 'feed.storage.hit.process' event is not observed. Note that Syslog events can be found in /var/log/messages or from /var/log/cb/notifications/cb-all-notifications.log for Watchlists on the Carbon Black Server. The 'feed.storage.hit' events are important, they indicate the data has been written to disk. An example feed.ingress.hit.process event:
Jan 23 11:18:07 [36618] <warning> reason=feed.ingress.hit type=event ...
And the expected subsequent feed.storage.hit.process event that is not present:
Jan 23 11:44:12 [38873] <warning> reason=feed.storage.hit type=event ...
Symptoms
The following error message may be observed in /var/log/cb/datastore/debug.log, where mycbserver.local is the server's physical host name:
2015-01-08 00:01:50,524 - [ERROR] - from com.carbonblack.cbfs.ingress_search.IngressScanner in DataStore::Storage_7
Error getting server name or version
java.net.UnknownHostException: mycbserver.local: mycbserver.local: Name or service not known
Solution
To resolve the issue, ensure the Carbon Black server can resolve it's own host name by updating the /etc/hosts file, such as:
127.0.0.1 mycbserver mycbserver.local localhost
::1 mycbserver mycbserver.local localhost
After making the above change, restart the services:
service cb-enterprise restart
Important Note(s)
The symptom my manifest itself in other ways besides unknown 'feed.storage.hit' events. If a similar "UnknownHostException" message appears in other logs, follow similar steps to ensure the Carbon Black Server can resolve it's own fully qualified domain name.
#EDR