To direct specific watchlist output to a remote device, you must configure Carbon Black EDR to filter each watchlist independently.

To configure Carbon Black EDR to send watchlist data to a remote device:

  1. Login to the Carbon Black EDR console.

  2. Edit the cb-coreservices.conf file: vi /etc/rsyslog.d/cb-coreservices.conf

  3. Add the following line to the configuration file: if $programname == 'cb-notifications-watchlist-105' then /var/log/cb/notifications/cb-notifications-watchlist-105.log;CbLogFormatWithPID & @<remote device IP address>:<UDP port>;CbLogFormatWithPID & ~

    Note:
    • The entire section below must be added to the cb-coreservices.conf file. The example here specifies watchlist number 105.

    • Ensure that the correct watchlist is specified. To ensure that the correct watchlist is sent to the remote device, verify the watchlist ID from the Carbon Black EDR console before you add these lines to the cb-coreservices.conf file.

  4. Restart the rsyslog daemon so that the changes take effect:

    service rsyslog restart

  5. Verify that the data is present on the remote device.