Carbon Black EDR audit logs are located in
/var/log/cb/audit , and are available through Syslog.
They include the following files:
banning.log – hash banning activity (add, remove, toggle).
isolation.log – sensor isolation activity (enable and disable).
live-response.log – endpoint Live Response session activity such as
reg, and so on; does not include commands that are not part of an endpoint session, such as
useractivity.log (audit logging enabled only) – all user API activity, including HTTP request details.
You can enable audit logging with the
EnableExtendedApiAuditLogging=Trueparameter in /etc/cb/cb.conf . See the VMware Carbon Black EDR Server Configuration Guide (cb.conf) .