How to Send Events to Multiple Receivers from the Event Forwarder
search cancel

How to Send Events to Multiple Receivers from the Event Forwarder

book

Article ID: 284970

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

How to send events to multiple receivers using Event Forwarder.

Environment

  • CB Event Forwarder: 3.7.x and Above

Resolution

  1. Duplicate the service unit file of the original/first forwarder.  Typically located here: `/etc/systemd/system/cb-event-forwarder.service`
cp /etc/systemd/system/cb-event-forwarder.service /etc/systemd/system/cb-event-forwarder-2.service
  1. Duplicate configuration and logging directories:
    • If the second Event Forwarder config file does not exist in /var/log/cb/integrations/cb-event-forwarder, copy the file from the first and customize it as needed:  
      cp /etc/cb/integrations/event-forwarder/cb-event-forwarder.conf /etc/cb/integrations/event-forwarder/cb-event-forwarder-2.conf
    • If the Event Forwarder was converted from a legacy setup or older instance, these items should be migrated.
cp /etc/cb/integrations/event-forwarder/cb-event-forwarder.conf /etc/cb/integrations/event-forwarder/cb-event-forwarder-2.conf &&
mkdir /var/log/cb/integrations/cb-event-forwarder-2 &&
sed -i 's/\/var\/log\/cb\/integrations\/cb-event-forwarder/\/var\/log\/cb\/integrations\/cb-event-forwarder-2/g' /etc/systemd/system/cb-event-forwarder-2.service &&
sed -i 's/\/etc\/cb\/integrations\/event-forwarder\/cb-event-forwarder.conf/\/etc\/cb\/integrations\/event-forwarder\/cb-event-forwarder-2.conf/g' /etc/systemd/system/cb-event-forwarder-2.service &&
sed -i 's/\/run\/cb\/integrations\/cb-event-forwarder\/cb-event-forwarder.pid/\/run\/cb\/integrations\/cb-event-forwarder\/cb-event-forwarder-2.pid/g' /etc/systemd/system/cb-event-forwarder-2.service
  1. Check the Event Forwarder Configuration:
/usr/share/cb/integrations/event-forwarder/cb-event-forwarder -check /etc/cb/integrations/event-forwarder/cb-event-forwarder-2.conf
  1. Start the second Event Forwarder service:
systemctl start cb-event-forwarder-2





Additional Information

 

  • If both Event Forwarders are located on the same machine, adequate resources must be available to support both forwarders.
  • The EDR Forwarder GUI will only control the original/first event forwarder (when installed on the EDR server). The second forwarder will need to be managed via the configuration file(s).
  • Copying and pasting via the article could introduce hidden line characters that will fail service startup. It's recommended to copy the lines within the conf file itself and modify the file name on the duplicated lines. 
  • This should only be used in low volume environments with enough resources to handle the additional usage. 
  • High volume systems it is normally recommended to install the event forwarder onto a separate server dedicated to the event forwarder. How to Setup Cb-Event-Forwarder on a Separate Server
Powered by Wolken Software