You can direct all watchlist output a specific remote device by adding the remote device IP address to the
cb-all-notifications parameter in the /etc/rsyslog.d/cb-coreservices.conf file.
To set up the Carbon Black EDR server to send data to a remote device:
Log into the Carbon Black EDR console.
Edit the cb-coreservices.conf file as shown in the following example: vi /etc/rsyslog.d/cb-coreservices.conf
Add the following line ( highlighted ) to the configuration file under the
if $programname == 'cb-notifications' then /var/log/cb/notifications/cb-allnotifications.log;CbLogFormatWithPID & @<remote device IP address>:<UDP port>;CbLogFormatWithPID & ~
Restart the rsyslog daemon so that the changes take effect:
service rsyslog restart
Verify that the data is now present on the remote device.