Issue
We're seeing quite a few sensor health messages in our VMware CB EDR console. What do they mean and how can I resolve them?
Environment
VMware Carbon Black EDR
Linux, macOS and Windows sensors
Resolution
Below are some common sensor health messages and ways users can troubleshoot and potentially resolve issues on their own:
- Linux endpoints reporting a health message of "event source not connected" or "event source not installed"
- This usually indicates that an incompatible sensor version is installed or based on the kernel version of the OS, that the kernel headers needed to collect telemetry via eBPF are missing.
- Excessive/Elevated memory usage
- Depending on the OS, this message may something of a red herring. However, in some instances, either restarting the sensor service or upgrading the sensor may fix the issue. It may also be a matter of having to downgrade the sensor to a compatible sensor version as well.
- If seen on macOS, ensure that a compatible sensor version is installed and that the kernel/system extensions have been properly applied.
- If seen on Linux, ensure that a compatible sensor version is installed. If the endpoint is running kernel version 4.4 or higher, the correct kernel headers must be installed.
- If seen on Windows, ensure that a compatible sensor version is installed (desktop OS/server OS).
- Depending on the OS, this message may something of a red herring. However, in some instances, either restarting the sensor service or upgrading the sensor may fix the issue. It may also be a matter of having to downgrade the sensor to a compatible sensor version as well.
- Excessive event loss
- Typically seen in Windows, this may be the result of the sensor driver event queue is being filled by a large number of Windows startup events before the sensor service starts.
- A system reboot normally resolves this issue.
- If a system reboot does not work, then check to see if there are any other security products installed on the device. If there are other security products installed, ensure that the CB EDR directory is excluded from being scanned. The CB EDR server does not have a setting to exclude other products.
- Upgrading the sensor may also resolve this issue.
- Typically seen in Windows, this may be the result of the sensor driver event queue is being filled by a large number of Windows startup events before the sensor service starts.
Please contact Support if the issues still exist.
Comments
0 comments
Please sign in to leave a comment.