EDR: How to send events to multiple receivers via Event Forwarder
search cancel

EDR: How to send events to multiple receivers via Event Forwarder

book

Article ID: 284970

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

How to send events to multiple receivers using Event Forwarder.

Environment

  • CB Event Forwarder: 3.6.x and Below
  • CB Event Forwarder: 3.7.x and Above

Resolution

CB-Event-Forwarder : 3.6.X and lower
  1. Make a copy the cb-event-forwarder.conf. In this example, we will name the second file cb-event-forwarder2.conf. The path is: 
    /etc/cb/integrations/event-forwarder/cb-event-forwarder.conf
    
  2. Update both configuration files with the necessary information to push to the SIEM or via local JSON file. 
  3. Create a new startup service which will read from the new conf file by opening /etc/init/cb-event-forwarder.conf
    • Original startup script section will look like this
      pre-start script
       /usr/share/cb/integrations/event-forwarder/cb-event-forwarder -check /etc/cb/integrations/event-forwarder/cb-event-forwarder.conf &> /var/log/cb/integrations/cb-event-forwarder/cb-event-forwarder.startup.log
      end script
      
      exec /usr/share/cb/integrations/event-forwarder/cb-event-forwarder /etc/cb/integrations/event-forwarder/cb-event-forwarder.conf &> /var/log/cb/integrations/cb-event-forwarder/cb-event-forwarder.log
    • Modify the startup scripts giving it the new file name. Example with our cb-event-forwarder2.conf
      pre-start script
      /usr/share/cb/integrations/event-forwarder/cb-event-forwarder -check /etc/cb/integrations/event-forwarder/cb-event-forwarder.conf &> /var/log/cb/integrations/cb-event-forwarder/cb-event-forwarder.startup.log
      /usr/share/cb/integrations/event-forwarder/cb-event-forwarder -check /etc/cb/integrations/event-forwarder/cb-event-forwarder2.conf &> /var/log/cb/integrations/cb-event-forwarder/cb-event-forwarder2.startup.log
      end script
      
      exec /usr/share/cb/integrations/event-forwarder/cb-event-forwarder /etc/cb/integrations/event-forwarder/cb-event-forwarder.conf &> /var/log/cb/integrations/cb-event-forwarder/cb-event-forwarder.log
      exec /usr/share/cb/integrations/event-forwarder/cb-event-forwarder /etc/cb/integrations/event-forwarder/cb-event-forwarder2.conf &> /var/log/cb/integrations/cb-event-forwarder/cb-event-forwarder2.log
  4. Start the Event Forwarder Services: 
    To start the service, initctl start cb-event-forwarder

CB-Event-Forwarder : 3.7.x + EL7/8

NOTE: If using multiple event-forwarders:
  • If both Event Forwarders are located on the same machine, adequate resources must be available to support both forwarders.
  • The EDR Forwarder GUI will only control the original/first event forwarder.  The second forwarder will need to be managed via the configuration file(s).
  1. Duplicate the service unit file of the original/first forwarder.  Typically located here: `/etc/systemd/system/cb-event-forwarder.service`
cp /etc/systemd/system/cb-event-forwarder.service /etc/systemd/system/cb-event-forwarder-2.service
  1. Duplicate configuration and logging directories:
    • If the second Event Forwarder config file does not exist in /var/log/cb/integrations/cb-event-forwarder, copy the file from the first and customize it as needed:
cp /etc/cb/integrations/event-forwarder/cb-event-forwarder.conf /etc/cb/integrations/event-forwarder/cb-event-forwarder-2.conf
  • If the Event Forwarder was converted from a legacy setup or older instance, these items should be migrated.
cp /etc/cb/integrations/event-forwarder/cb-event-forwarder.conf /etc/cb/integrations/event-forwarder/cb-event-forwarder-2.conf &&
mkdir /var/log/cb/integrations/cb-event-forwarder-2 &&
sed -i 's/\/var\/log\/cb\/integrations\/cb-event-forwarder/\/var\/log\/cb\/integrations\/cb-event-forwarder-2/g' /etc/systemd/system/cb-event-forwarder-2.service &&
sed -i 's/\/etc\/cb\/integrations\/event-forwarder\/cb-event-forwarder.conf/\/etc\/cb\/integrations\/event-forwarder\/cb-event-forwarder-2.conf/g' /etc/systemd/system/cb-event-forwarder-2.service &&
sed -i 's/\/run\/cb\/integrations\/cb-event-forwarder\/cb-event-forwarder.pid/\/run\/cb\/integrations\/cb-event-forwarder\/cb-event-forwarder-2.pid/g' /etc/systemd/system/cb-event-forwarder-2.service
  1. Check the Event Forwarder Configuration:
/usr/share/cb/integrations/event-forwarder/cb-event-forwarder -check /etc/cb/integrations/event-forwarder/cb-event-forwarder-2.conf
  1. Start the second Event Forwarder service:
systemctl start cb-event-forwarder-2





Additional Information

  • Copying and pasting via the article could introduce hidden line characters that will fail service startup. It's recommended to copy the lines within the conf file itself and modify the file name on the duplicated lines. 
  • This should only be used in low volume environments with enough resources to handle the additional usage. 
  • High volume systems it is normally recommended to install the event forwarder onto a separate server dedicated to the event forwarder. EDR: How to setup Cb-Event-Forwarder on a separate server