How to configure the Cb-Event-Forwarder on an external server
Article ID: 285717
Updated On:
Products
Carbon Black EDR (formerly Cb Response)
Issue/Introduction
How to setup an configure a remote cb-event-forwarder.
- Reduce load on the EDR Server
- Sending data to additional locations
Environment
- Carbon Black EDR Server: All Versions
- Carbon Black Event Forwarder: All Versions
Resolution
- Log into the server that will be hosting the event forwarder via SSH/Terminal.
- Install the Carbon Black Event Forwarder.
- On the EDR server, create a new RabbitMQ user and password (Do not use user "cb" that exists for the server) and permissions.
/usr/share/cb/cbrabbitmqctl add_user <username> <password> /usr/share/cb/cbrabbitmqctl set_user_tags <username> administrator /usr/share/cb/cbrabbitmqctl set_permissions -p / <username> ".*" ".*" ".*"
- On the event forwarder server, edit /etc/cb/integrations/event-forwarder/cb-event-forwarder.conf with the same credentials:
rabbit_mq_username= rabbit_mq_password= cb_server_hostname=
- Fill out the remaining info based on how you want to the events forwarded. See the Carbon Black Event Forwarder.
- Confirm that port 5004 is open for communication to the EDR server.
- Start the cb-event-forwarder service.
intictl start cb-event-forwarder
Additional Information
- The feature to configure the event forwarder via the console is not available to remote event forwarder installations.
- Audit logging is not available to remote event forwarders, on a direct installed event forwarder it pull the audit logs directly from /var/log/cb/audit, in which a remote event forwarder does not have access to get. If possible, setup a local event forwarder that is set to only forward audit logs if the remote forwarder is to reduce load on the EDR server.
Feedback
Yes
No
Powered by
