We have a number of endpoints that appear to be checking in without issue, however, they are reporting a significant backlog of data. How is that a sensor can check in but not send data to the EDR server?
VMware Carbon Black EDR
In a clustered environment (master server and minions), sensors send two different packages: check-in and data submission (reserve/submit2). Check-ins are handled by the master server and data submissions are stored on the assigned minions.
As they are independent of each other, check-ins may register without incident, however, data submissions can have different issues:
- Sensor may not able to reach the minion (networking issues, server/minion availability, etc).
- A sensor may not be functioning properly causing it to not be able to send data.
This process is the same regardless of OS. To understand why a sensor(s) may not be functioning as expected, Support would need to investigate sensor diagnostics of the affected endpoint(s).