You can use Carbon Black EDR syslog templates to build custom-formatted syslog notifications for Carbon Black EDR watchlist hits, feed hits, and binary information events.
Syslog output is formatted using Jinja2 templates. A command line utility at:
/usr/share/cb/cbsyslog
supports:
# /usr/share/cb/cbsyslog --help
Usage: cbsyslog.py [options]
This utility provides an interface for testing Carbon Black EDR’s notifications syslog output. The interface options are as follows:
Syslog notification testing utility (cbsyslog) options
| Option |
Description |
|---|---|
| -h, --help |
Displays a help message and then closes the message. |
| -v, --verbose |
Provides detailed output. |
| -l, --list-events |
Outputs the list of events, which can be sent to syslog, and then exits. |
| -e EVENT_NAME, --event=EVENT_NAME |
Identifies specific event types. Use the
Note:
Some event output of the cbsyslog -e contains sample data, while other output contains the results from actual database queries. See the output results to determine if the data is sample data; sample data contains a string such as |
| -g, --get |
Saves the system default templates to the current directory. |
| -t TEMPLATE, --template=TEMPLATE |
Formats the syslog message using the specified template instead of the system default. |
| -f, --fire |
Formats and sends an event through the syslog message system. For example, you can use this option to manually execute the same process that occurs when the Carbon Black EDR server sends an event to syslog when there is a hit. |
| -q QUERY, --query=QUERY |
Processes the first Solr doc that matches the query string. You can use this query to identify which document to test with. |
To build custom-formatted syslog notifications:
-
Use the
--getswitch to write the system default templates to the local directory:# /usr/share/cb/cbsyslog --get # ll -rw-rw-r--. 1 root root 246 May 22 00:16 binaryinfo.group.observed.template -rw-rw-r--. 1 root root 285 May 22 00:16 binaryinfo.host.observed.template -rw-rw-r--. 1 root root 221 May 22 00:16 binaryinfo.observed.template -rw-rw-r--. 1 root root 194 May 22 00:16 feed.ingress.hit.binary.template -rw-rw-r--. 1 root root 210 May 22 00:16 feed.ingress.hit.process.template -rw-rw-r--. 1 root root 194 May 22 00:16 feed.storage.hit.binary.template -rw-rw-r--. 1 root root 243 May 22 00:16 feed.storage.hit.process.template -rw-rw-r--. 1 root root 575 May 22 00:16 watchlist.hit.binary.template -rw-rw-r--. 1 root root 460 May 22 00:16 watchlist.hit.process.template
The templates are given a context with a single python dictionary calleddocthat contains the set of all possible key-value pairs. -
To view the set of all possible keys, use the Jinja For loop to iterate over the indexed fields in the Solr document with this template:
-
Create a ‘forloop.txt’ template with the following contents:
{% for k in doc %}{{k}}={{doc[k]}} {% endfor %} -
Use the
--templateswitch to output all of the available keys for a specific event type:
# /usr/share/cb/cbsyslog --template ./forloop.txt --event watchlist.hit.process process_md5=506708142bc63daba64f2d3ad1dcd5bf process_sha256=6635a659bc80def44859f36719ed30618589c4b50abc17def38ee7dd913721 sensor_id=15 modload_count=45 filemod_count=0 servername=cbent-qa-nodesvr02 watchlist_id=-1 watchlist_name=SyslogTest id=1068044553602656801 group=SetSensor hostname=CB-WIN81X64-01 last_update=2014-02-28T02:29:00.09Z start=2014-02-28T02:29:00.043Z netconn_count=0 username=SYSTEM process_name=googleupdate.exe path=c:\program files (x86)\google\update\googleupdate.exe regmod_count=1 segment_id=1488563344023 host_type=workstation cb_version=4.1.1.140225.1913 childproc_count=0 unique_id=00000c42-0000-172c-01d0-5d6cca2adbb2-015A954A1297
-
-
To get a list of available event types, use the
–list-eventsoption:[root@localhost mytemplates]# /usr/share/cb/cbsyslog --list-events binaryinfo.group.observed binaryinfo.host.observed binaryinfo.observed feed.ingress.hit.binary feed.ingress.hit.host feed.ingress.hit.process feed.storage.hit.binary feed.storage.hit.process watchlist.hit.binary watchlist.hit.process feed.query.hit.binary feed.query.hit.process
