EDR: Event Forwarder Not Sending Audit Logs in LEEF
search cancel

EDR: Event Forwarder Not Sending Audit Logs in LEEF

book

Article ID: 287950

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response) Carbon Black Hosted EDR (formerly Cb Response Cloud)

Issue/Introduction

When enabling audit log capture with LEEF format, the format is sent in JSON

Environment

  • EDR Server: All Versions
  • Event Forwarder: 3.8.x to 3.8.4

Cause

Change in 3.8.x series is not reformatting the logs

Resolution

CB-41266 has been opened to correct this. Please watch for the next release with the fix. https://github.com/carbonblack/cb-event-forwarder/releases

Workaround:
The only work around at this time is to downgrade to 3.7.6
  1. systemctl stop cb-event-forwarder
  2. cp /etc/cb/integrations/event-forwarder/cb-event-forwarder.conf
  3. yum remove cb-event-forwarder
  4. yum install cb-event-forwarder-3.7.6*
  5. mv /etc/cb/integrations/event-forwarder/cb-event-forwarder.conf /tmp
  6. systemctl start cb-event-forwarder
Powered by Wolken Software