Carbon Black Cloud: How To Troubleshoot Syslog Connector 1.x
search cancel

Carbon Black Cloud: How To Troubleshoot Syslog Connector 1.x


Article ID: 287869


Updated On:


Carbon Black Cloud Endpoint Standard (formerly Cb Defense) Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)


How to troubleshoot Syslog Connector 1.x


  • Carbon Black Console: All Supported Versions
  • Carbon Black Cloud Syslog Connector: 1.x


1. From within the Console, verify that a SIEM type connector has been created and is being used

2. From with the cb-defense-syslog.conf file found here: /etc/cb/integrations/cb-defense-syslog/cb-defense-syslog.conf verify the following:
  1. CBC Connector ID
  2. CBC API Key (from your SIEM connector)
  3. The correct API URL is being used, for a full list of URLs check here 
       The critical configs within the cb-defense-syslog.conf should look like this:
# Cb Defense Connector ID
connector_id = TSDTG351A1
# Cb Defense API Key
api_key = NASD4342562IZ39EMMSDA2
# Cb Defense Server URL
server_url = # Prod02 URL

3. Check the cb-defense-syslog.log file for HTTP or Authentication errors found here /var/log/cb/integrations/cb-defense-syslog/cb-defense-syslog.log

4. Test connectivity through on-prem firewalls to your backend API URL

  1. Create a new API connector type from within the console
  2. Run this command: curl -H X-Auth-Token:API_KEY/CONNECTOR_ID
  3. If this command worked then connectivity has been verified, try re-creating your SIEM connector and update your keys within the .conf file
  4. If this fails, check firewall rules (local and site) to ensure proper exclusions are in place per these documents:
  5. If connectivity is still failing after the firewall rules have been checked, collect a network packet capture, the cb-defense-syslog.log and cb-defense-syslog.conf and create a ticket with support

5. If events are not being received verify:

  1. The connectivity checks listed above are passed and no errors are found in the cb-defense-syslog.log file
  2. Ensure a Notification has been created and tied to the Connector from the console
  3. From the Connectors page select the Notifications Icon and verify alerts are being "Sent". If "NOT_TRIGGERED" is listed, adjust your Notification rules accordingly