How to Customize Syslog Templates
search cancel

How to Customize Syslog Templates

book

Article ID: 285681

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response) Carbon Black EDR

Issue/Introduction

How to customize Syslog templates in Carbon Black EDR

Environment

  • Carbon Black EDR Server: All Versions
  • SIEM: Any Supported Version
  • Rsyslog

Resolution

  1. Find the templates that you will be modifying
    • Base templates can be dropped in the current working directory
    /usr/share/cb/cbsyslog -g
    • CEF format templates can be found here:
    /usr/share/cb/syslog_templates
  2. Open /etc/cb/cb.conf and add configuration based on the templates you will be customizing 
    BinaryInfoSyslogTemplateGroupObserved=<path and filename>
BinaryInfoSyslogTemplateHostObserved=<path and filename>
BinaryInfoSyslogTemplateObserved=<path and filename>
FeedIngressSyslogTemplateBinary=<path and filename>
FeedIngressSyslogTemplateProcess=<path and filename>
FeedIngressSyslogTemplateHost=<path and filename FeedStorageSyslogTemplateBinary=<path and filename> FeedStorageSyslogTemplateProcess=<path and filename> WatchlistSyslogTemplateBinary=<path and filename> WatchlistSyslogTemplateProcess=<path and filename> FeedQuerySyslogTemplateBinary=<path and filename> FeedQuerySyslogTemplateProcess=<path and filename>
  3. Review the EDR Integration Guide for the event type you would like to modify and what additional fields are available
  4. What to add:
    NOTE: <tag> will be what you are mapping to in the SIEM. <key> is the value in the integration doc
    • Base Templates will be in this format
    <tag>='{{doc["<key>"]}}
    • CEF Templates will be in this format
    <tag>:{{doc["<key>"]|cef_escape}}
  5. Save templates
  6. Restart the EDR server services with CBCLUSTER command

Additional Information

  • Some fields are not available depending on event type. For example, cmdline is not available for ingress events, but is available for storage events. Command Line is only available after the event is indexed to Solr.
  • Template headers are set in the /etc/rsyslog/cb-coreservices.conf
  • CEF formatted templates are found in /usr/share/cb/syslog. If you plan to modify these, please create a custom directory with the modified files copied over, this will avoid the files being overwritten on the next upgrade. 
Powered by Wolken Software