This topic describes external event logging options.

Table 1. External Event Logging Options

Field

Description

Syslog Enabled

Determines whether event information is output to another server for further analysis using a Syslog management tool. If selected, you must specify a Syslog server address and listening port. This option is OFF by default.

See the VMware Carbon Black App Control Events Guide for guidance on using event output together with your Syslog management tools.

Syslog Address

IP address for a Syslog server (optional). If you specify a Syslog address, you must also enter a port for the server.

No error is reported if you set the Syslog address or port incorrectly. To verify that Syslog address is correctly set, confirm the receipt of events on the Syslog server after you have completed the configuration.

Syslog Port

Port number for a Syslog server.

Events directed to the listening port include activity messages such as blocked files, new files on the system, and changes to login accounts.

If you export event data, events continue to be written to the Events page, which is accessible from the Carbon Black App Control Console. If you specify a Syslog port, you must enter an address for the Syslog server.

Syslog Format

One of the following:

  • Basic (RFC3164) – Default for upgrades from pre-6.0.2 (Parity) versions.
  • Enhanced (RFC5424) – Standard and the default for new installations beginning with Bit9 v7.0.1.
  • CEF (ArcSight) – format to use to integrateCarbon Black App Control event logs with HP ArcSight ESM or HP ArcSight Logger.
  • LEEF (Q1Labs) – format to use to integrate Carbon Black App Control event logs with QRadar SIEM or QRadar Log Manager .

See the VMware Carbon Black App Control Events Guide for more information on Syslog formats that Carbon Black App Control supports, and how to map events to them.

Syslog Export Process Command Lines

Determines whether process command lines are included in syslog output. Not selected by default. Passwords can be specified on the command line, so sending command line output to an external server can be inappropriate.

Use External Database

To enable use of an external SQL database, select the check box. To deactivate reporting of events to the external database, deselect the check box.

DSN String

Identifies the external database. This value varies depending on whether you use manual authentication or NT authentication.