Carbon Black EDR maintains two separate syslog files for watchlists created in the Carbon Black EDR console.
The first syslog file is a single file with all watchlist hits consolidated in one place.
The second syslog file saves each watchlist hit to its own file. All the watchlist syslog files are stored in the following location on the Carbon Black EDR server:
Each watchlist is assigned a specific number, which can be viewed from the Carbon Black EDR server per this example:
In this example the watchlist number is 105.
Carbon Black EDR creates a numbered syslog that matches the watchlist number. In the example above, the watchlist 105 syslog creates the output file:
The syslog file name format follows a standard convention for all watchlists as shown below:
The single summary syslog with all watchlist hits in one consolidated file uses the following naming convention:
Binary Information events are not published in the cb-all-notifications.log file.