The Carbon Black Cloud app includes a limited event generator. This generator allows the product to display data when there are no inputs configured.

The event generator requires the SA-Eventgen app to be installed.

The eventgen.conf contains two stanzas that reference the necessary log files:

  • [vmware_cbc_s3_alerts.log]
  • [vmware_cbc_s3_events.log]

To enable the event generator:

  1. Create a test index where the data can be loaded.
    Note: By default, the data will be written to the test index. This can be changed in the eventgen.conf file.
  2. Copy $SPLUNK_HOME$/etc/apps/vmware_app_for_splunk/default/eventgen.conf to the local folder in $SPLUNK_HOME$/etc/apps/vmware_app_for_splunk. There are two sources, one for alerts and one for events.
  3. Change disabled = 1 to disabled = 0.
  4. Enable the SA-Eventgen input:
    1. Go to Settings > Data Inputs in the Splunk SIEM console.
    2. Locate the SA-Eventgen app in the Local Inputs list.
    3. Select Enable on the default input.
  5. Restart Splunk.
Note: SA-Eventgen will look through all apps in $SPLUNK_HOME$/etc/apps looking for eventgen.conf. SA-Eventgen will then run eventgen logic for enabled inputs for any app eventgens that it locates.