Solr uses new cbevents directories (mount points) if their name is prefixed with cbevents* or _cbevents*.


The cbevents directory (without the suffix) is the default directory but does not need to remain on the original data partition. You can remove it if needed.

The following is an example of a valid multi-volume configuration:


In this example, the default data drive is mounted to /dev/xvdb, and /data is configured as the data root inside of cb.conf. In addition, two more volumes are added and mounted to /data/solr6/cbevents2 and /data/solr6/cbevents3.


The system assigns the correct user:group upon cb-enterprise restart. If you created the mount points on a live server, ensure that the user assigned to the Carbon Black EDR server has write permissions on the mounted directory. Failure to do so causes the system to ignore the new mount points.

Another option to expand cbevents storage is to use symlink.

To use a symlinked location for event storage:

  1. Create a mount point in another location in the file system, such as /data2.

  2. Create a symlink to the cbevents* directory inside the solr6 directory that points to the mounted directory. For example:

    ln -s /data2 /var/cb/data/solr6/cbevents2
  3. Ensure that the Carbon Black EDR user has write permissions in the mounted directory (/data2).