Applying the Default CEF Templates

CEF syslog templates are located at /usr/share/cb/syslog_templates .

To use the CEF syslog templates, add the following lines to /etc/cb/cb.conf :

WatchlistSyslogTemplateProcess=/usr/share/cb/syslog_templates/process_cef.txt
WatchlistSyslogTemplateBinary=/usr/share/cb/syslog_templates/binary_cef.txt

The watchlist searcher process automatically picks up the new template when the next watchlist hit occurs.

The following is an example process watchlist hit in CEF format:

CEF:0|Carbon Black|Carbon Black|4.1.0.131118.1540|reason=process_watchlist_-1|
SyslogTest|10|dproc=wmiprvse.exe fname=c:\\windows\\system32\\wbem\\wmiprvse.exe
start=2014-01-14T20:36:19.526Z dhost=J-8205A0C27A0C4 msg=group:Default Group
process_md5:0ffae66e6d5b1c87cbd22d1f3b6079fd last_update:2014-01-14T20:36:19.526Z
guid:-5850106436655859636 segment_id:1488563344023

The following is an example binary watchlist hit in CEF format:

CEF:0|Carbon Black|Carbon Black|4.1.0.131118.1540|reason=binary_watchlist_-1|
SyslogTest|10|start=2014-01-13T14:49:55.189Z msg=md5:6D778E0F95447E6546553EEEA709D03C
desc:Windows Command Processor company_name:Microsoft Corporation
product_name:MicrosoftÂ:registered: WindowsÂ:registered: Operating System
product_version:5.1.2600.5512 file_version:5.1.2600.5512 (xpsp.080413-2111)
signed:Signed