Event Forwarder 3.8.2 is the initial release of containerized Event Forwarder, which is compatible with containerized Carbon Black EDR Server. Event Forwarder versions prior to 3.8.2 are not compatible with Carbon Black EDR containerized servers. Event Forwarder versions 3.8.2+ are supported.

Note: This topic describes how to install Event Forwarder 3.8.2. If you are using a later version of Event Forwarder, substitute that version number in the following steps.

Procedure

  1. Retrieve the containerized version of Event Forwarder 3.8.2 with docker using this command: 
    docker pull projects.registry.vmware.com/carbonblack/event-forwarder:3.8.2
  2. Retag the downloaded Event Forwarder image using this command: 
    docker tag projects.registry.vmware.com/carbonblack/event-forwarder:3.8.2 projects.registry.vmware.com/carbonblack/event-forwarder:latest

  3. From the directory where the edr-docker script is installed, extract the yml file using this command: 
    docker run --rm --entrypoint=/bin/cat projects.registry.vmware.com/carbonblack/event-forwarder:latest /compose.yml > event-forwarder.yml
  4. Set up Carbon Black EDR to control Event Forwarder. Edit data/config/cb.conf and add the following values:
    • EventForwarderEnabled=True
    • EventForwarderContainerAddress=carbonblack-event-forwarder
    • EventForwarderContainerPort=5744
  5. Restart the Carbon Black EDR docker container to apply your changes: 
    ./edr-docker stop
    ./edr-docker start
  6. Run the Event Forwarder docker container using this command: 
    docker-compose -f event-forwarder.yml up -d
  7. Optional: to get additional logging information for Event Forwarder, use the command: 
    'docker logs -f carbonblack-event-forwarder'

Results

  • Configuration is saved in data/integrations/event-forwarder.
  • The Carbon Black EDR data folder is re-used.
  • Event Forwarder logs are available at data/logs/event-forwarder.

What to do next

To stop the Event Forwarder docker container, (when needed), go to the directory that contains the event-forwarder.yml file and issue the following command:

docker-compose -f event-forwarder.yml down