After modifying the /etc/cb/integrations/event-forwarder/cb-event-forwarder.conf file manually to adjust the output type, events are not longer being sent to the SIEM

• Carbon Black EDR: All Versions
• Carbon Black Event Forwarder: All Versions

output_type is incorrectly set

Update the output_type configuration to the correct type expected.

• udp - Have the events sent over a UDP socket
• tcp - Have the events sent over a TCP socket
• file - Output the events to a rotating file
• s3 - Place in S3 compliant object storage
• syslog - Send the events to a syslog server
• splunk - send to Splunk HEC
• http -  send to an HTTP server

• Output type of "file" will write to the default local location of /var/cb/data. If no external resource (such as Splunk Universal Forwarder) is picking up this file nothing will be sent to the SIEM and only written locally.
• Only the output_type of file will keep a local file, all other output_types forward events directly from memory. 
• All output types except file do not keep a local file, a temp files created and send immediately to the output resource configured. 
• https://github.com/carbonblack/cb-event-forwarder