EDR: Configuring Yara Connector with a Non-Default Directory
search cancel

EDR: Configuring Yara Connector with a Non-Default Directory

book

Article ID: 287668

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response) Carbon Black Hosted EDR (formerly Cb Response Cloud)

Issue/Introduction

Configure cb-yara-connector to use a custom directory (not /var/cb/data).

Environment

  • EDR Server: 7.x
  • Yara-connector: 2.2.0-1 +

Resolution

      1.  Modify /etc/cb/integrations/cb-yara-connector/yaraconnector.conf 
Modify line:
feed_database_dir=/var/cb/data/cb-yara-connector/feed_db

feed_database_dir=<custom directory>/feed_db
     
      2.  Modify /etc/systemd/system/cb-yara-connector.service.    
Change the line:
ExecStart=/usr/share/cb/integrations/cb-yara-connector/yaraconnector --pid-file /run/cb/integrations/cb-yara-connector/cb-yara-connector.pid --config-file /etc/cb/integrations/cb-yara-connector/yaraconnector.conf --daemon --log-file /var/log/cb/integrations/cb-yara-connector/yaraconnector.log --output-file /var/cb/data/cb-yara-connector/feed.json

To:
ExecStart=/usr/share/cb/integrations/cb-yara-connector/yaraconnector --pid-file /run/cb/integrations/cb-yara-connector/cb-yara-connector.pid --config-file /etc/cb/integrations/cb-yara-connector/yaraconnector.conf --daemon --log-file /var/log/cb/integrations/cb-yara-connector/yaraconnector.log --output-file <custom directory>/feed.json
     
      3.  Restart the daemon and the service. 
Run:
systemctl stop cb-yara-connector

systemctl daemon-reload

systemctl start cb-yara-connector


 
Powered by Wolken Software