EDR: How to Enable Raw Event Forwarding on cb.conf When Using Event-Forwarder
search cancel

EDR: How to Enable Raw Event Forwarding on cb.conf When Using Event-Forwarder

book

Article ID: 284796

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

How to enable raw events forwarding on cb.conf when using Event-Forwarder?

Environment

  • EDR: All supported versions 
  • CB Response Event Forwarder: 3.2.0+

Resolution

  • Warning: We do not recommend exporting all the events. The performance impacts are seen when the events are broadcast on the bus, by enabling the "DatastoreBroadcastEventTypes". 
If you are capturing raw sensor events then you also need to edit the DatastoreBroadcastEventTypes option in/etc/cb/cb.conf to enable broadcast of the raw sensor events you wish to export.
  • If you plan to forward all types of process events, we recommend using adding EnableRawSensorDataBroadcast=true to /etc/cb/cb.conf. By using "EnableRawSensorDataBroadcast=true", please make sure DatastoreBroadcastEventTypes is commented out.
  • If you are capturing binary observed events you also need to edit the EnableSolrBinaryInfoNotifications option in/etc/cb/cb.conf and set it to True.

Additional Information

EDR server version 7.3.0 deprecated  'DatastoreBroadcastEventTypes=*in it's place added 'EnableRawSensorDataBroadcast=true' to improve performance.

Powered by Wolken Software