Issue
We have a number of endpoints that appear to be checking in without issue, however, they are reporting a significant backlog of data. How is that a sensor can check in but not send data to the EDR server?
Environment
VMware Carbon Black EDR
Resolution
In a clustered environment (master server and minions), sensors send two different packages: check-in and data submission (reserve/submit2). Check-ins are handled by the master server and data submissions are stored on the assigned minions.
As they are independent of each other, check-ins may register without incident, however, data submissions can have different issues:
- Sensor may not able to reach the minion (networking issues, server/minion availability, etc).
- A sensor may not be functioning properly causing it to not be able to send data.
This process is the same regardless of OS. To understand why a sensor(s) may not be functioning as expected, Support would need to investigate sensor diagnostics of the affected endpoint(s).
Related article(s):
How often does the VMware Carbon Black EDR sensor check-in with the EDR server?
Gather diagnostics for VMware Carbon Black EDR sensors (formerly CB Response)
Comments
0 comments
Please sign in to leave a comment.