How to configure the Event-Forwarder on an external server
search cancel

How to configure the Event-Forwarder on an external server


Article ID: 285717


Updated On:


Carbon Black EDR (formerly Cb Response)


In some scenarios it's desirable to install and configure the EDR Event Forwarder onto an external server. 


  • EDR Server: All Versions
  • Carbon Black EDR Event Forwarder: All Versions


  1. Log into the server that will be hosting the event forwarder via SSH/Terminal
  2. Download the event forwarder using the Carbon Black repo:
    1. cd /etc/yum.repos.d
    2. curl -O
    3. yum install cb-event-forwarder
  3. On the EDR server, create a new RabbitMQ user and password (Do not use user "cb" that exists for the server) and permissions
    /usr/share/cb/cbrabbitmqctl add_user <username> <password>
    /usr/share/cb/cbrabbitmqctl set_user_tags <username> administrator
    /usr/share/cb/cbrabbitmqctl set_permissions -p / <username> ".*" ".*" ".*"
  4. On the event forwarder server, edit /etc/cb/integrations/event-forwarder/cb-event-forwarder.conf with the same credentials:
  5. Fill out the remaining info based on how you want to the events forwarded. See the Carbon Black EDR Event Forwarder Github page.
  6. Confirm that port 5004 is open for communication to the EDR server
  7. Start the cb-event-forwarder service
    intictl start cb-event-forwarder

Additional Information

  • The feature to configure the event forwarder via the console is not available to remote event forwarder installations.
  • Audit logging is not available to remove event forwarders, on a direct installed event forwarder it pull the audit logs directly from /var/log/cb/audit, in which a remote event forwarder does not have access to get. If possible, setup a local event forwarder that is set to only forward audit logs if the remote forwarder is to reduce load on the EDR server.