You can direct all watchlist output a specific remote device by adding the remote device IP address to the cb-all-notifications parameter in the /etc/rsyslog.d/cb-coreservices.conf file.

To set up the Carbon Black EDR server to send data to a remote device:

  1. Log into the Carbon Black EDR console.

  2. Edit the cb-coreservices.conf file as shown in the following example: vi /etc/rsyslog.d/cb-coreservices.conf

  3. Add the following line ( highlighted ) to the configuration file under the cb-allnotifications line:

    if $programname == 'cb-notifications' then /var/log/cb/notifications/cb-allnotifications.log;CbLogFormatWithPID & @<remote device IP address>:<UDP port>;CbLogFormatWithPID & ~

  4. Restart the rsyslog daemon so that the changes take effect: service rsyslog restart

  5. Verify that the data is now present on the remote device.