If a sensor is not checking in, look in the log file: /var/log/cb/nginx/access.log for a request from the host.
22.214.171.124 - - [20/Apr/2021:20:04:52 +0000(3.811)] "POST /sensor/checkin/35998 HTTP/1.1" 502 166 "-" "sensors.vibrant-pies.my.carbonblack.io" ">126.96.36.199:6501" "-" "-"
In the output example, several fields are useful for diagnosing the issue:
Sensor Id is reported after the checkin field. It is 35998 in the above case.
The actual error code is reported in the field following HTTP/1.1 text. In the example above, 502 is the error code.
In a clustered environment, some requests proxy calls to a different minion in the cluster. This minion's address is reported after the ‘>’ character (188.8.131.52 in the above case).
If you find a checkin error or an error to any other call with the "/sensor/" prefix, check the following log: /var/log/cb/sensorservices/debug.log.
If you see an error related to requests prefixed with "/data/", check the following log: /var/log/cb/datastore/debug.log.
In a clustered environment, review the log files on the node that is referenced in the nginx error log entry.
If sensors are not checking in but there are no entries in access.log , check error.log .
If the sensor SSL client certificates are not signed by the Certificate Authority (CA) in /etc/cb/certs and configured in /etc/cb/nginx/conf.d/cb.conf ,
nginx will refuse the request.
If there are no entries in error.log, check the status of sensor communications as described in the “Troubleshooting Sensors” section in the VMware Carbon Black EDR User Guide .