EDR: How to enable audit logging for the cb-event-forwarder
search cancel

EDR: How to enable audit logging for the cb-event-forwarder

book

Article ID: 290189

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

Setup audit logging on the EDR server to send to the cb-event-forwarder and forward to a SIEM.

Environment

  • EDR (formerly CB Response) Server: 6.2 and later
  • CB Event Forwarder: 3.4.2 and later

Resolution

  1. Edit the /etc/cb/cb.conf file
    • Set EnableAuditLogsToEvents=True
    • Set EnableExtendedApiAuditLogging=True
  2. Edit the /etc/cb/integrations/event-forwarder/cb-event-forwarder.conf file
    • Set audit_log=true
  3. Restart the cb-enterprise services per Cb Response: How to restart services
  4. Restart the cb-event-forwarder
    • initctl stop cb-event-forwarder
    • initctl start cb-event-forwarder
Powered by Wolken Software