If communication with the remote device is interrupted, you can enable spooling for notifications on the Carbon Black EDR server.

To enable spooling of notifications:

1. Log into the Carbon Black EDR console.

2. Locate and open the /etc/rsyslog.d/cb-coreservices.conf file.

3. Add the following lines after the section in which you are capturing logs (this line starts with if $programname ) and before each action item for that section:

   //
   # An on-disk queue is created for this action.If the remote host is
   # down, messages are spooled to disk and sent when it is up again.
   $WorkDirectory /var/lib/rsyslog # where to place spool files
   $ActionQueueFileName fwdRule1 # unique name prefix for spoolfiles
   $ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible)
   $ActionQueueSaveOnShutdown on # save messages to disk on shutdown
   $ActionQueueType LinkedList # run asynchronously
   $ActionResumeRetryCount -1 # infinite retries if host is down
   //

   The following is an example:

   if $programname startswith 'cb-notifications-' then -?DynaFile;CbSyslogStandardFormatWithPID
   $WorkDirectory /var/lib/rsyslog  # location of spoolfiles on the disk
   $ActionQueueFileName cbtest   # unique name prefix for spool files
   $ActionQueueMaxDiskSpace 1g   # 1gb space limit (use as much as possible)
   $ActionQueueSaveOnShutdown on # save messages to disk on shutdown
   $ActionQueueType LinkedList   # run asynchronously
   $ActionResumeRetryCount -1    # infinite retries if host is down
   & @@192.168.10.252:514;CbSyslogStandardFormatWithPID
   & ~