EDR: No messages sent to SIEM through Event Forwarder
Article ID: 290636
Updated On:
Products
Carbon Black EDR (formerly Cb Response)
Issue/Introduction
- Nothing is logged to the output file location
- Multiple output addresses are set in cb-event-forwarder.conf, but nothing is received
- ex. both udpout and syslogout point to the same syslog server ip:port
Environment
- EDR Server: All Versions (formerly CB Response)
- Event Forwarder: All Versions
Cause
Only one output address and type can be used
Resolution
- Modify the configuration file to use only one of *out locations
- Restart Event Forwarder
Additional Information
- Output will only be written to the outfile if output_type=file
- Each instance of the Event Forwarder can only send data to one location
Feedback
Yes
No
Powered by
