Setting Up Server Data Transmission

On the Carbon Black EDR server, the rsyslog feature is used to transmit each watchlist hit to a remote device or to multiple remote devices.

To set up the Carbon Black EDR server to send Syslog data to remote devices:

Access the Carbon Black EDR server either through the console or with a remote terminal connection using SSH.
Edit the rsyslog file to enable Syslog information to be redirected:

/etc/rsyslog.d/cb-coreservices.conf

This example shows example output from an unaltered cb-coreservices.conf file:

Note:

The contents of the actual /etc/rsyslog.d/cb-coreservices.conf file can be different.

# By default the value of this directive is 'on' so that any special character (ASCII < 32) is escaped. However,
# that causes multiline messages to be rather unreadable. While the practice of printing multiple lines in a log
# should be discouraged, it is useful when error exception stack tracers are being reported.  This option might
# also cause problems if other log file reader software is being used as it may not be able to read additional
# lines as those lines wouldn't have any timestamp/souce information.
#
# If this option is causing problems, it can be disabled which would make interpretting stack traces a bit more
# difficult. However, the following command can be used when reading log files to make stack traces readable again:
#     cat /path/to/log/file | sed 's/#012/\n\t/g'
#
$EscapeControlCharactersOnReceive off

$template AccessLogFormat,"%msg%\n"
$template CbLogFormatWithPID,"%timegenerated:1:10:date-rfc3339% %timegenerated:8:15:% [%procid%] <%syslogseverity-text%> %msg%\n"
$template CbSyslogStandardFormatWithPID,"%timegenerated% [%procid%] <%syslogseverity-text%> %msg%\n"

$template DynaFile,"/var/log/cb/notifications/%PROGRAMNAME%.log"

if $programname startswith 'process' then -?DynaFile

if $programname == 'cb-coreservices' and $syslogfacility-text == 'local0' then /var/log/cb/coreservices/debug.log;CbLogFormatWithPID
& ~
if $programname == 'cb-coreservices' and $syslogfacility-text == 'local7' then /var/log/cb/coreservices/access.log;AccessLogFormat
& ~
if $programname == 'cb-sensorservices' and $syslogfacility-text == 'local0' then /var/log/cb/sensorservices/debug.log;CbLogFormatWithPID
& ~
if $programname == 'cb-sensorservices' and $syslogfacility-text == 'local7' then /var/log/cb/sensorservices/access.log;AccessLogFormat
& ~
if $programname == 'cb-allianceclient' and $syslogfacility-text == 'local0' then /var/log/cb/allianceclient/allianceclient.log;CbLogFormatWithPID
& ~
if $programname == 'cb-job-runner' then /var/log/cb/job-runner/job-runner.log;CbLogFormatWithPID
& ~
if $programname == 'cb-notifications' then /var/log/cb/notifications/cb-all-notifications.log;CbSyslogStandardFormatWithPID
& ~
if $programname startswith 'cb-notifications-' then -?DynaFile;CbSyslogStandardFormatWithPID
& ~
if $programname == 'cb-services' then /var/log/cb/services/init.log;CbLogFormatWithPID
& ~
if $programname == 'cb-enterprised' then /var/log/cb/enterprise/enterprise.log;CbLogFormatWithPID
& ~
if $programname == 'cb-liveresponse' and $syslogfacility-text == 'local0' then /var/log/cb/liveresponse/debug.log;CbLogFormatWithPID
& ~
if $programname == 'cb-liveresponse' and $syslogfacility-text == 'local7' then /var/log/cb/liveresponse/access.log;AccessLogFormat