Remote devices must be configured with a new receiver to accept the rsyslog feed from Carbon Black EDR.

Whether the remote device is an instance of SPLUNK, ArcSight, or another manager-of-managers platform such as Tivoli, the basic setup requirements are the same.

Note:

The procedure for setting up remote devices differs depending upon the device itself. The basics are described here. Adapt the procedure to your particular platform.

To set up the remote device for Syslog integration:

  1. Add a new UDP receiver to the remote device.

  2. Enable the new receiver to communicate using a new and unique UDP port number for the communication with Carbon Black EDR. Verify that the receiver is working and listening on the appropriate port.

Note:

The system might require the Carbon Black EDR IP address to be authorized prior to accepting data.