How large does the Canary Exporter output log grow?

By default,  Canary Exporter will output your selected telemetry data in JSON format into the canary_exporter_output.log file, which can grow up to 1 GB in size. After reaching 1 GB, the log will rotate using the naming convention  canary_exporter_output.log.1 until the log count has reached 20. After 20, the oldest log is purged when a new log is created.  

Can I shut down the Canary Exporter Docker process gracefully?

Yes, the Docker process running the Canary Exporter can be shutdown gracefully using the following commands (Linux):

docker ps
docker kill [container_id]


What if I want to switch between Native and Standardized data? Do I have to choose?

Switching between native and standardized data is as simple as changing the variable in your Docker run statement from one to the other. This can be done as often as needed, though keep in mind your data format will change, potentially affecting the systems consuming the logs.

If your use case requires it, you can run multiple Docker instances, one for native data and one for standard. Your key material is the same in both cases.

What if I have more data coming in than the Exporter can handle?

In some larger environments it is very likely that a single Canary Exporter process will be unable to keep up with the flow of data from said environment. In these cases, multiple Docker instances can be deployed with identical run statements to load balance. The data repository is aware of each Canary Exporter instance subscribed to it, and will not send duplicate data.

Can I use Exporter with an on-premise or Carbon Black Cloud Response server?

Yes, but you must ensure certain settings are in place on the Response server side. Please contact your CSM or IH for details.

How much data will Canary Exporter generate?

This depends on the endpoint product in use and endpoint utilization, among other things. 

In general, when consuming all event types, expect ~20 megabytes of data per endpoint per day.

For an environment with 1000 endpoints, this equates to roughly ~600 gigabytes per month. 

