This topic describes the technology stack on a Carbon Black EDR server.
Five major daemons exist in a Carbon Black EDR server:
| Daemon |
Description |
|---|---|
| |
Used as an HTTP reverse proxy to internal daemons. |
| |
(Python, Gunicorn) All non-data application logic for HTTP transactions. |
| |
(Java/Jetty) All incoming data, including event logs and binary files. |
| |
(Java/Jetty) Apache Solr, the primary data store. |
| |
Traditional relational database. |
| |
Handles all non-data sensor requests, such as sensor check-ins, registrations, and upgrades. |
nginx is the only daemon with public sockets. The remaining daemons are bound to the Carbon Black EDR server using the default IP address, which is 127.0.0.1, and can only be accessed locally or by using the nginx reverse proxy.
nginx owns tcp/80 and tcp/443 and redirects to coreservices , cb-datastore or cb-sensorservices to the Carbon Black EDR web root:q based on the URL prefix:
| nginx |
Redirects to |
|---|---|
| |
|
| |
|
| |
|
| |
|
coreservices handles /api/*
All /api/ URLs are used by the Carbon Black EDR console interface and by REST clients.
sensorservices handles /sensor/*
All /sensor/ URLs are used by the sensors that are pushing data. These URLs are isolated to allow binding a separate nginx server instance to tcp/443 on a public or DMZ interface for sensors that are outside of the internal network (for example, sensors on laptops used by traveling or remote employees) without exposing the /api/ interfaces externally. You can isolate these URLs by using a simple nginx configuration change, as shown in the example in the file:
/etc/cb/nginx/conf.d/cb-multihome.conf.example
Listening ports are configured differently in a clustered setup. See cluster-specific documentation for more details.
In general, sensors first register and check into sensorservices by using nginx . If sensors have data, after they check in, they post event logs to cb-datastore by using nginx .
cb-datastore caches data for a few minutes before sending a collection of related data to cb-solr .
The following diagram shows the Carbon Black EDR server architecture at a high level:
