Just Published! Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

Selecting an Event From the Alerts Page Results in a 404 Page

Selecting an Event From the Alerts Page Results in a 404 Page

Version

Cb Response 5.x, 6.x

Issue

From the Detect -> Triage Alerts page, when selecting an Alert that would normally take you to the Process Analysis page, the resulting page is a custom 404 page:

Cause

This occurs when the Process event for the Alert has already been purged or moved to cold storage due to data retention settings configured in /etc/cb/cb.conf:

grep MaxEventStore /etc/cb/cb.conf

Warning: Please do not modify these settings without first contacting Technical Support or Professional Services for approval

5.2.x, 5.3.x

Here are the 5.2 Values:​​

ValueFunctionCb.conf DefaultProduct Default
MaxEventStoreSizeInDocsDecreases query time. Oldest Solr documents purge when this document count limit is met.60120
MaxEventStoreSizeInPercentPrevents running out of disk space. Oldest Solr documents purge when this percentage of disk space is met.7070
MaxEventStoreDaysBalances long running process retention and normal retention. Purges long running processes. 5.2.6+ purges modulestore files if binary file sharing with Alliance is disabled.300 (Unlimited)
MaxEventStoreSizeInMBLimits the amount of space solr can take. Oldest Solr documents purge when Solr reaches this amount of disk space. Same functionality as MaxEventStoreSizeInPercent.#1000000 (commented)0 (Unlimited)

Note: More Information about these metrics can be found here: Carbon Black Response v5.2 - Server Configuration (cb.conf) Guide

Note: If KeepAllModuleFiles is set to true, this overrides the MaxEventStoreDays purge setting for modulestore

6.x

Here are the 6.1 Values:​​

ValueFunctionCb.conf DefaultProduct Default
MaxEventStoreSizeInDocsNo more absolute event core size in docs. This setting is no longer taken into account.DeprecatedDeprecated
MaxEventStoreSizeInPercentPrevents running out of disk space. Oldest Solr core is unmounted/deleted.9090
MaxEventStoreDaysDecreases query time. When cores reach this age they are unmounted/deleted300 (Unlimited)
MaxEventStoreSizeInMBLimits the amount of space solr can take. Oldest Solr core is unmounted/deleted when Solr reaches this amount of disk space. Same functionality as MaxEventStoreSizeInPercent.#1000000 (commented)0 (Unlimited)

Note: AlwaysDeleteColdPartitions determines if the core is unmounted (warm to cold core) or deleted

Warning: MaxEventStoreDays has new functionality for 6.x

Solution

It's important to note this is functioning as designed. The Cb Response Server will routinely purge process events based on any of the four MaxEventStore parameters configured for your installation. Since the process event the alert is tied to has already been purged, a 404 is expected when attempting to navigate to it.

If you are unsatisfied with your current data retention settings, contact Technical Support to rule out an underlying issue with your Cb Response Server.

If no issue is found, Technical Support will refer you to our Professional Services team to scope your environment and recommend any configuration changes

Labels (1)
Was this article helpful? Yes No
No ratings
Article Information
Author:
Creation Date:
‎09-23-2015
Views:
1983
Contributors