On the Carbon Black EDR server, the rsyslog feature is used to transmit each watchlist hit to a remote device or to multiple remote devices.

Procedure

  1. Access the Carbon Black EDR server either through the console or with a remote terminal connection using SSH.
  2. Edit the rsyslog file to enable Syslog information to be redirected:
    /etc/rsyslog.d/cb-coreservices.conf
    This example shows example output from an unaltered cb-coreservices.conf file:
    Note:

    The contents of the actual /etc/rsyslog.d/cb-coreservices.conf file can be different.

    # By default the value of this directive is 'on' so that any special character (ASCII < 32) is escaped. However,
    # that causes multiline messages to be rather unreadable. While the practice of printing multiple lines in a log
    # should be discouraged, it is useful when error exception stack tracers are being reported.  This option might
    # also cause problems if other log file reader software is being used as it may not be able to read additional
    # lines as those lines wouldn't have any timestamp/souce information.
    #
    # If this option is causing problems, it can be disabled which would make interpretting stack traces a bit more
    # difficult. However, the following command can be used when reading log files to make stack traces readable again:
    #     cat /path/to/log/file | sed 's/#012/\n\t/g'
    #
    $EscapeControlCharactersOnReceive off
    
    $template AccessLogFormat,"%msg%\n"
    $template CbLogFormatWithPID,"%timegenerated:1:10:date-rfc3339% %timegenerated:8:15:% [%procid%] <%syslogseverity-text%> %msg%\n"
    $template CbSyslogStandardFormatWithPID,"%timegenerated% [%procid%] <%syslogseverity-text%> %msg%\n"
    
    $template DynaFile,"/var/log/cb/notifications/%PROGRAMNAME%.log"
    
    if $programname startswith 'process' then -?DynaFile
    
    if $programname == 'cb-coreservices' and $syslogfacility-text == 'local0' then /var/log/cb/coreservices/debug.log;CbLogFormatWithPID
    & ~
    if $programname == 'cb-coreservices' and $syslogfacility-text == 'local7' then /var/log/cb/coreservices/access.log;AccessLogFormat
    & ~
    if $programname == 'cb-sensorservices' and $syslogfacility-text == 'local0' then /var/log/cb/sensorservices/debug.log;CbLogFormatWithPID
    & ~
    if $programname == 'cb-sensorservices' and $syslogfacility-text == 'local7' then /var/log/cb/sensorservices/access.log;AccessLogFormat
    & ~
    if $programname == 'cb-allianceclient' and $syslogfacility-text == 'local0' then /var/log/cb/allianceclient/allianceclient.log;CbLogFormatWithPID
    & ~
    if $programname == 'cb-job-runner' then /var/log/cb/job-runner/job-runner.log;CbLogFormatWithPID
    & ~
    if $programname == 'cb-notifications' then /var/log/cb/notifications/cb-all-notifications.log;CbSyslogStandardFormatWithPID
    & ~
    if $programname startswith 'cb-notifications-' then -?DynaFile;CbSyslogStandardFormatWithPID
    & ~
    if $programname == 'cb-services' then /var/log/cb/services/init.log;CbLogFormatWithPID
    & ~
    if $programname == 'cb-enterprised' then /var/log/cb/enterprise/enterprise.log;CbLogFormatWithPID
    & ~
    if $programname == 'cb-liveresponse' and $syslogfacility-text == 'local0' then /var/log/cb/liveresponse/debug.log;CbLogFormatWithPID
    & ~
    if $programname == 'cb-liveresponse' and $syslogfacility-text == 'local7' then /var/log/cb/liveresponse/access.log;AccessLogFormat