EDR: Event Forwarder remove_from_output Broken in v3.8.4

search cancel

EDR: Event Forwarder remove_from_output Broken in v3.8.4

book

Article ID: 287655

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

After adding the variable remove_from_output in the cb-event-forwarder.conf file and restarting the Event Forwarder, the fields listed to exclude continue to appear in the json output.

Environment

EDR Server: 7.7.x and higher
Event Forwarder: 3.8.4

Cause

Upgrading from v3.7.6 to v3.8.4 broke the ability to remove, or exclude, fields written to the json file. CB-40736.

Resolution

No workaround is currently available (Nov 2022).

Additional Information

The EF variable 'remove_from_output' is a key element in fine-tuning the Rabbitmq data forwarded to the SIEM.

Feedback

thumb_up Yes

thumb_down No