EDR: How to Customize Syslog Templates
search cancel

EDR: How to Customize Syslog Templates

book

Article ID: 285681

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

How to customize Syslog templates

Environment

  • EDR Server: All Versions
  • SIEM
  • Rsyslog

Resolution

  1. Find the templates that you will be modifying
    • Base templates can be dropped in the current working directory
    /usr/share/cb/cbsyslog -g
    • CEF format templates can be found here:
    /usr/share/cb/syslog_templates
  2. Open /etc/cb/cb.conf and add configuration based on the templates you will be customizing 
    BinaryInfoSyslogTemplateGroupObserved=<path and filename>
BinaryInfoSyslogTemplateHostObserved=<path and filename>
BinaryInfoSyslogTemplateObserved=<path and filename>
FeedIngressSyslogTemplateBinary=<path and filename>
FeedIngressSyslogTemplateProcess=<path and filename>
FeedIngressSyslogTemplateHost=<path and filename
FeedStorageSyslogTemplateBinary=<path and filename>
FeedStorageSyslogTemplateProcess=<path and filename>
WatchlistSyslogTemplateBinary=<path and filename>
WatchlistSyslogTemplateProcess=<path and filename>
FeedQuerySyslogTemplateBinary=<path and filename>
FeedQuerySyslogTemplateProcess=<path and filename>
  3. Review the CB Response Integration Guide for the event type you would like to modify and what additional fields are available
  4. What to add:
    NOTE: <tag> will be what you are mapping to in the SIEM. <key> is the value in the integration doc
    • Base Templates will be in this format
    <tag>='{{doc["<key>"]}}
    • CEF Templates will be in this format
    <tag>:{{doc["<key>"]|cef_escape}}
  5. Save templates
  6. Restart Services Cb Response: How to restart the server services

Additional Information

  • Some fields are not available depending on event type. For example, cmdline is not available for ingress events, but is available for storage events. Command Line is only available after the event is indexed to Solr.
  • Template headers are set in the /etc/rsyslog/cb-coreservices.conf
  • CEF formatted templates are found in /usr/share/cb/syslog. If you plan to modify these, please create a custom directory with the modified files copied over, this will avoid the files being overwritten on the next upgrade. 
Powered by Wolken Software