EDR: How to Configure the Event Forwarder to use a hec token to connect to Splunk

EDR: How to Configure the Event Forwarder to use a hec token to connect to Splunk

search cancel

EDR: How to Configure the Event Forwarder to use a hec token to connect to Splunk

book

Article ID: 288111

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

To configure the EDR Event Forwarder to connect to Splunk using a hec token.

Environment

EDR: 7.7.0 and Higher
Event Forwarder: 3.7.6
Splunk: All Supported Versions

Resolution

Edit /etc/cb/integrations/event-forwarder/cb-event-forwarder.conf
Add or modify:

output_type=splunk
splunkout=https://<your-splunk-HEC-endpoint>:8088/services/collector/event
output_format=json

[splunk]

hec_token=YOUR_SPLUNK_HEC_TOKEN
tls_verify=false
upload_empty_files=false
bundle_send_timeout=60
http_post_template={{range .Events}}{"sourcetype":"vmware:cb:edr:json","event":{{.EventText}}}{{end}}

Additional Information

Feedback

thumb_up Yes

thumb_down No