EDR: Event Forwarder remove_from_output Broken in v3.8.4
book
Article ID: 287655
calendar_today
Updated On:
Products
Carbon Black EDR (formerly Cb Response)
Issue/Introduction
After adding the variable remove_from_output in the cb-event-forwarder.conf file and restarting the Event Forwarder, the fields listed to exclude continue to appear in the json output.
Environment
EDR Server: 7.7.x and higher
Event Forwarder: 3.8.4
Cause
Upgrading from v3.7.6 to v3.8.4 broke the ability to remove, or exclude, fields written to the json file. CB-40736.
Resolution
No workaround is currently available (Nov 2022).
Additional Information
The EF variable 'remove_from_output' is a key element in fine-tuning the Rabbitmq data forwarded to the SIEM.