Carbon Black Cloud: How to Configure cb-defense-syslog.conf for Syslog Connector
search cancel

Carbon Black Cloud: How to Configure cb-defense-syslog.conf for Syslog Connector

book

Article ID: 285013

calendar_today

Updated On:

Products

Carbon Black Cloud Endpoint Standard (formerly Cb Defense)

Issue/Introduction

How to configure the cb-defense-syslog.conf file used by the Carbon Black Cloud Syslog Connector

Environment

  • Carbon Black Cloud Web Console: All Versions
    • EndPoint Standard: All Versions
    • Enterprise EDR: All Versions
  • CBC Syslog Connector: All Versions

Resolution

  • Please review Github documentation located HERE.
  • For a sample configuration file please click HERE

Additional Information

  • The CB PSC Syslog Connector requires the use of a SIEM and API Access Level API Keys. 
  • If using multiple Cb Defense Servers for this SIEM, you can configure additional servers with their connector_id, api_key, and server_url at the bottom of the config file. An example is included by default. For further help, see: https://community.carbonblack.com/t5/Knowledge-Base/Cb-Defense-How-to-configure-the-Syslog-Connector-to-pull-data/ta-p/39857
  • The leef output version is only version 2.0. version 1.0 is not supported
  • For the Syslog Connector to pull information a Notification needs to be setup because it will pull the Alert and Associated Information only for Notifications that were sent. Notifications can be setup per https://community.carbonblack.com/t5/Knowledge-Base/Carbon-Black-Cloud-How-to-Add-New-Notifications/ta-p/38863