The Carbon Black App Control Server supports integration of its event information with Syslog servers using several formats.
You configure Syslog integration in the External Event Logging panel of the Events tab.
The supported formats are:
- Basic (RFC3164) – The default for upgrades to v7.2.2 from pre-6.0.1 (Parity) versions.
- Enhanced (RFC5424) – A newer standard and the default for new installations of v6.0.1 (Bit9, Parity, or Carbon Black App Control) and later.
- CEF (ArcSight) – The format to integrate Carbon Black App Control event logs with HP ArcSight ESM or HP ArcSight Logger.
- LEEF (Q1 Labs) – The format to integrate Carbon Black App Control event logs with QRadar Log Manager or QRadar SIEM.
- See the VMware Carbon Black App Control Events Guide for more information on Syslog formats that Carbon Black App Control supports, and how to map events to them.
- If you used HP ArcSight or Q1Labs products with previous versions, you must refer to VMware Carbon Black App Control Supported Integrations for information about upgrading your integration .
- If you worked with VMware Carbon Black Support to manually enable special Syslog formatting in pre-6.0.2 releases, your changes are overwritten upon upgrade. Use the Syslog format menu to choose formatting.
Enable Event Logging to a Syslog Server
To enable event logging to a Syslog server, perform the following procedure.
- Prepare the Syslog server to which you want to log Carbon Black App Control events. See the VMware Carbon Black App Control Events Guide for more details about preparing the server.
- On the console menu, click the Configuration (gear) icon and click System Configuration. On the System Configuration page, click on the Events tab.
- On the Events tab, click the Edit button at the bottom of the page.
- In the External Event Logging panel, select the Syslog Enabled check box.
- Provide the address (IP address or FQDN) and port number of your Syslog server in the Syslog Address and Syslog Port text boxes, respectively.
- Select the output format from the Syslog Format menu.
- To save your configuration, click Update and then click Yes in the confirmation dialog box.