Carbon Black EDR logs the following events to Syslog.
Watchlist hit – This event occurs when activity or binaries on an endpoint matches a query in a watchlist. See “Watchlists” in the VMware Carbon Black EDR User Guide .
Feed hit – This event occurs when activity or binaries on an endpoint matches an IOC reported by a threat intelligence feed. See “Threat Intelligence Feeds” in the VMware Carbon Black EDR User Guide .
By default, a feed hit is logged only at the ingress as feed events arrive at the Carbon Black EDR server. These are feed.ingress.hit events.
Optionally (when enabled via the
EnableSolrFeedNotificationsconfiguration option in /etc/cb/cb.conf ), the feed hit is also logged when committed to persistent storage. In the latter case, the notification can contain additional key-value pairs in the binary or process hit. These are feed.storage.hit events.
Binary information event – This event occurs when a process execution adds a binary to the Carbon Black EDR database.
The program name prefix for logged events is
cb-notifications- . By default, logged events are written to log files at
/var/log/cb/notifications on the Carbon Black EDR server (based on the syslog configuration at /etc/rsyslog.d/cb-coreservices ).
Currently, binary information events are not published in the cb-all-notifications.log file.
/var/log/cb/notifications directory, there is one file for all hits, one file for each watchlist, and one file for each feed. Watchlist files include the watchlist ID in the program name and in the log file name, while feed files include the feed ID in the program name and in the log file name. Binary information events are logged in a separate file.
For example, the
/var/log/cb/notifications directory listing below contains log files for the following events:
All watchlist and feed hits
Hits to Watchlist ID 10
Hits to Feed ID 8
All binary information events
[root@localhost coreservices]# ll /var/log/cb/notifications/*.log -rw-------. Jun 9 15:30 /var/log/cb/notifications/cb-all-notifications.log -rw-------. Jun 9 15:30 /var/log/cb/notifications/cb-notifications-watchlist-10.log -rw-------. Jun 9 18:02 /var/log/cb/notifications/cb-notifications-feed-8.log -rw-------. Jun 9 18:04 /var/log/cb/notifications/cb-notifications-binaryinfo.log