CB-Event-Forwarder : 3.6.X and lower
- Make a copy the cb-event-forwarder.conf. In this example, we will name the second file cb-event-forwarder2.conf. The path is:
/etc/cb/integrations/event-forwarder/cb-event-forwarder.conf
- Update both configuration files with the necessary information to push to the SIEM or via local JSON file.
- Create a new startup service which will read from the new conf file by opening /etc/init/cb-event-forwarder.conf
- Original startup script section will look like this
pre-start script
/usr/share/cb/integrations/event-forwarder/cb-event-forwarder -check /etc/cb/integrations/event-forwarder/cb-event-forwarder.conf &> /var/log/cb/integrations/cb-event-forwarder/cb-event-forwarder.startup.log
end script
exec /usr/share/cb/integrations/event-forwarder/cb-event-forwarder /etc/cb/integrations/event-forwarder/cb-event-forwarder.conf &> /var/log/cb/integrations/cb-event-forwarder/cb-event-forwarder.log
- Modify the startup scripts giving it the new file name. Example with our cb-event-forwarder2.conf
pre-start script
/usr/share/cb/integrations/event-forwarder/cb-event-forwarder -check /etc/cb/integrations/event-forwarder/cb-event-forwarder.conf &> /var/log/cb/integrations/cb-event-forwarder/cb-event-forwarder.startup.log
/usr/share/cb/integrations/event-forwarder/cb-event-forwarder -check /etc/cb/integrations/event-forwarder/cb-event-forwarder2.conf &> /var/log/cb/integrations/cb-event-forwarder/cb-event-forwarder2.startup.log
end script
exec /usr/share/cb/integrations/event-forwarder/cb-event-forwarder /etc/cb/integrations/event-forwarder/cb-event-forwarder.conf &> /var/log/cb/integrations/cb-event-forwarder/cb-event-forwarder.log
exec /usr/share/cb/integrations/event-forwarder/cb-event-forwarder /etc/cb/integrations/event-forwarder/cb-event-forwarder2.conf &> /var/log/cb/integrations/cb-event-forwarder/cb-event-forwarder2.log
- Start the Event Forwarder Services:
To start the service, initctl start cb-event-forwarder
CB-Event-Forwarder : 3.7.x + EL7/8NOTE: If using multiple event-forwarders:
- If both Event Forwarders are located on the same machine, adequate resources must be available to support both forwarders.
- The EDR Forwarder GUI will only control the original/first event forwarder. The second forwarder will need to be managed via the configuration file(s).
- Duplicate the service unit file of the original/first forwarder. Typically located here: `/etc/systemd/system/cb-event-forwarder.service`
cp /etc/systemd/system/cb-event-forwarder.service /etc/systemd/system/cb-event-forwarder-2.service
- Duplicate configuration and logging directories:
- If the second Event Forwarder config file does not exist in /var/log/cb/integrations/cb-event-forwarder, copy the file from the first and customize it as needed:
cp /etc/cb/integrations/event-forwarder/cb-event-forwarder.conf /etc/cb/integrations/event-forwarder/cb-event-forwarder-2.conf
- If the Event Forwarder was converted from a legacy setup or older instance, these items should be migrated.
cp /etc/cb/integrations/event-forwarder/cb-event-forwarder.conf /etc/cb/integrations/event-forwarder/cb-event-forwarder-2.conf &&
mkdir /var/log/cb/integrations/cb-event-forwarder-2 &&
sed -i 's/\/var\/log\/cb\/integrations\/cb-event-forwarder/\/var\/log\/cb\/integrations\/cb-event-forwarder-2/g' /etc/systemd/system/cb-event-forwarder-2.service &&
sed -i 's/\/etc\/cb\/integrations\/event-forwarder\/cb-event-forwarder.conf/\/etc\/cb\/integrations\/event-forwarder\/cb-event-forwarder-2.conf/g' /etc/systemd/system/cb-event-forwarder-2.service &&
sed -i 's/\/run\/cb\/integrations\/cb-event-forwarder\/cb-event-forwarder.pid/\/run\/cb\/integrations\/cb-event-forwarder\/cb-event-forwarder-2.pid/g' /etc/systemd/system/cb-event-forwarder-2.service
- Check the Event Forwarder Configuration:
/usr/share/cb/integrations/event-forwarder/cb-event-forwarder -check /etc/cb/integrations/event-forwarder/cb-event-forwarder-2.conf
- Start the second Event Forwarder service:
systemctl start cb-event-forwarder-2