Carbon Black EDR audit logs are located in /var/log/cb/audit , and are available through Syslog.

They include the following files:

  • banning.log – hash banning activity (add, remove, toggle).

  • isolation.log – sensor isolation activity (enable and disable).

  • live-response.log – endpoint Live Response session activity such as cd , exec , reg , and so on; does not include commands that are not part of an endpoint session, such as sensor and help.

  • useractivity.log (audit logging enabled only) – all user API activity, including HTTP request details.

    You can enable audit logging with the EnableExtendedApiAuditLogging=True parameter in /etc/cb/cb.conf . See the VMware Carbon Black EDR Server Configuration Guide (cb.conf) .