On the Carbon Black EDR server, the rsyslog feature is used to transmit each watchlist hit to a remote device or to multiple remote devices.
Procedure
- Access the Carbon Black EDR server either through the console or with a remote terminal connection using SSH.
- Edit the rsyslog file to enable Syslog information to be redirected:
/etc/rsyslog.d/cb-coreservices.conf
This example shows example output from an unaltered cb-coreservices.conf file:Note:The contents of the actual /etc/rsyslog.d/cb-coreservices.conf file can be different.
# By default the value of this directive is 'on' so that any special character (ASCII < 32) is escaped. However, # that causes multiline messages to be rather unreadable. While the practice of printing multiple lines in a log # should be discouraged, it is useful when error exception stack tracers are being reported. This option might # also cause problems if other log file reader software is being used as it may not be able to read additional # lines as those lines wouldn't have any timestamp/souce information. # # If this option is causing problems, it can be disabled which would make interpretting stack traces a bit more # difficult. However, the following command can be used when reading log files to make stack traces readable again: # cat /path/to/log/file | sed 's/#012/\n\t/g' # $EscapeControlCharactersOnReceive off $template AccessLogFormat,"%msg%\n" $template CbLogFormatWithPID,"%timegenerated:1:10:date-rfc3339% %timegenerated:8:15:% [%procid%] <%syslogseverity-text%> %msg%\n" $template CbSyslogStandardFormatWithPID,"%timegenerated% [%procid%] <%syslogseverity-text%> %msg%\n" $template DynaFile,"/var/log/cb/notifications/%PROGRAMNAME%.log" if $programname startswith 'process' then -?DynaFile if $programname == 'cb-coreservices' and $syslogfacility-text == 'local0' then /var/log/cb/coreservices/debug.log;CbLogFormatWithPID & ~ if $programname == 'cb-coreservices' and $syslogfacility-text == 'local7' then /var/log/cb/coreservices/access.log;AccessLogFormat & ~ if $programname == 'cb-sensorservices' and $syslogfacility-text == 'local0' then /var/log/cb/sensorservices/debug.log;CbLogFormatWithPID & ~ if $programname == 'cb-sensorservices' and $syslogfacility-text == 'local7' then /var/log/cb/sensorservices/access.log;AccessLogFormat & ~ if $programname == 'cb-allianceclient' and $syslogfacility-text == 'local0' then /var/log/cb/allianceclient/allianceclient.log;CbLogFormatWithPID & ~ if $programname == 'cb-job-runner' then /var/log/cb/job-runner/job-runner.log;CbLogFormatWithPID & ~ if $programname == 'cb-notifications' then /var/log/cb/notifications/cb-all-notifications.log;CbSyslogStandardFormatWithPID & ~ if $programname startswith 'cb-notifications-' then -?DynaFile;CbSyslogStandardFormatWithPID & ~ if $programname == 'cb-services' then /var/log/cb/services/init.log;CbLogFormatWithPID & ~ if $programname == 'cb-enterprised' then /var/log/cb/enterprise/enterprise.log;CbLogFormatWithPID & ~ if $programname == 'cb-liveresponse' and $syslogfacility-text == 'local0' then /var/log/cb/liveresponse/debug.log;CbLogFormatWithPID & ~ if $programname == 'cb-liveresponse' and $syslogfacility-text == 'local7' then /var/log/cb/liveresponse/access.log;AccessLogFormat