Event Forwarder Not Sending Audit Logs in LEEF for on-prem EDR
Article ID: 287950
Updated On:
Products
Carbon Black EDR (formerly Cb Response)
Carbon Black Hosted EDR (formerly Cb Response Cloud)
Carbon Black EDR
Issue/Introduction
When enabling audit log capture with LEEF format, the format is sent in JSON
Environment
- EDR Server: All Versions
- Event Forwarder: 3.8.x to 3.8.4
Cause
Change in 3.8.x series is not reformatting the logs
Resolution
CB-41266 has been opened to correct this. Please watch for the next release with the fix. https://github.com/carbonblack/cb-event-forwarder/releases
Workaround:
The only work around at this time is to downgrade to 3.7.6
- systemctl stop cb-event-forwarder
- cp /etc/cb/integrations/event-forwarder/cb-event-forwarder.conf /tmp/cb-event-forwarder.conf.backup
- yum remove cb-event-forwarder
- yum install cb-event-forwarder-3.7.6*
- mv /tmp/cb-event-forwarder.conf.backup /etc/cb/integrations/event-forwarder/cb-event-forwarder.conf
- systemctl start cb-event-forwarder
Feedback
Yes
No
Powered by
