EDR: How to confirm the Cb-Event-Forwarder is sending events
search cancel

EDR: How to confirm the Cb-Event-Forwarder is sending events

book

Article ID: 291007

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

How to determine if the cb-event-forwarder is sending events

Environment

  • EDR Server: All Versions
  • Event Forwarder: All Versions

Resolution

  1. Log into the cb-event-forwarder server via SSH/Terminal
  2. Tail the log to confirm events are being generated 
    tail -f /var/cb/data/event_bridge_output.json
    1. If events are being generated but not received, confirm they are going out (port is 514 by default) 
      tcpdump -X -i any port 514
      1. If you are seeing event forwarder messages leaving via tcpdump this verifies the event forwarder is working as expected. Please confirm networking between SIEM and the cb-event-forwarder server
      Powered by Wolken Software