EDR: How to Change Syslog Output to CEF Format
search cancel

EDR: How to Change Syslog Output to CEF Format

book

Article ID: 285764

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

Change the Syslog so that it outputs in CEF format 

Environment

On-Premise EDR: 6.x or Higher 

Resolution

  1. CEF syslog templates are located at /usr/share/cb/syslog_templates. If you plan to modify them, copy to a custom directory. To use them, add the following lines to /etc/cb/cb.conf:  
    WatchlistSyslogTemplateProcess=/usr/share/cb/syslog_templates/process_cef.txt 
WatchlistSyslogTemplateBinary=/usr/share/cb/syslog_templates/binary_cef.txt
  2. The watchlist searcher process will automatically pick up the new template when the next watchlist hit occurs.
  3. Additional Options exist for Syslog Templates and Output Parameters.  More information can be found here.

Additional Information

  • The Common Event Format is an ArcSight standard that aligns the output format of various technology vendors into a common form.
  • EDR watchlist syslog output supports fully-templated formats, which enables easy modification of the template to match the CEF-defined format.
  • CEF is only available through native Rsyslog and not through the Event Forwarder.
  • If you custom modify the CEF templates, move them into a custom directory and point the config to the new directory. This will avoid the templates being overwritten during an upgrade. 
Powered by Wolken Software