If communication with the remote device is interrupted, you can enable spooling for notifications on the Carbon Black EDR server.
Procedure
- Login to the Carbon Black EDR console.
- Locate and open the /etc/rsyslog.d/cb-coreservices.conf file.
- Add the following lines after the section in which you are capturing logs (this line starts with
if $programname) and before each action item for that section:// # An on-disk queue is created for this action.If the remote host is # down, messages are spooled to disk and sent when it is up again. $WorkDirectory /var/lib/rsyslog # where to place spool files $ActionQueueFileName fwdRule1 # unique name prefix for spoolfiles $ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible) $ActionQueueSaveOnShutdown on # save messages to disk on shutdown $ActionQueueType LinkedList # run asynchronously $ActionResumeRetryCount -1 # infinite retries if host is down //
For example:if $programname startswith 'cb-notifications-' then -?DynaFile;CbSyslogStandardFormatWithPID $WorkDirectory /var/lib/rsyslog # location of spoolfiles on the disk $ActionQueueFileName cbtest # unique name prefix for spool files $ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible) $ActionQueueSaveOnShutdown on # save messages to disk on shutdown $ActionQueueType LinkedList # run asynchronously $ActionResumeRetryCount -1 # infinite retries if host is down & @@192.168.10.252:514;CbSyslogStandardFormatWithPID & ~
