Carbon Black EDR maintains two separate syslog files for watchlists created in the Carbon Black EDR console.

The first syslog file is a single file with all watchlist hits consolidated in one place.

The second syslog file saves each watchlist hit to its own file. All the watchlist syslog files are stored in the following location on the Carbon Black EDR server:

/var/log/cb/notifications

Each watchlist is assigned a specific number, which can be viewed from the Carbon Black EDR server per this example:

https://<server name>/#/watchlist/105

In this example the watchlist number is 105.

Carbon Black EDR creates a numbered syslog that matches the watchlist number. In the example above, the watchlist 105 syslog creates the output file:

cb-notifications-watchlist-105.log-20131031

The syslog file name format follows a standard convention for all watchlists as shown below:

cb-notifications-watchlist-<watchlist#>.log-YYYYMMDD

The single summary syslog with all watchlist hits in one consolidated file uses the following naming convention:

cb-all-notifications.log-YYYYMMDD

Binary Information events are not published in the cb-all-notifications.log file.