Event Forwarder 3.8.2 is the initial release of containerized Event Forwarder, which is compatible with containerized Carbon Black EDR Server. Event Forwarder versions prior to 3.8.2 are not compatible with Carbon Black EDR containerized servers. This topic describes how to install Event Forwarder 3.8.2.

Procedure

  1. Retrieve the containerized version of Event Forwarder 3.8.2 with docker using this command: 
    docker pull projects.registry.vmware.com/carbonblack/event-forwarder:3.8.2
  2. Retag the downloaded Event Forwarder image using this command: 
    docker tag projects.registry.vmware.com/carbonblack/event-forwarder:3.8.2 projects.registry.vmware.com/carbonblack/event-forwarder:latest

  3. From the directory where the edr-docker script is installed, extract the yml file using this command: 
    docker run --rm --entrypoint=/bin/cat projects.registry.vmware.com/carbonblack/event-forwarder:latest /compose.yml > event-forwarder.yml
  4. Set up Carbon Black EDR to control Event Forwarder. Edit data/config/cb.conf and add the following values:
    • EventForwarderEnabled=True
    • EventForwarderContainerAddress=carbonblack-event-forwarder
    • EventForwarderContainerPort=5744
  5. Run the Event Forwarder docker container using this command: 
    docker-compose -f event-forwarder.yml up -d
  6. Optional: to get additional logging information for Event Forwarder, use the command: 
    'docker logs -f carbonblackevent-forwarder'

Results

  • Configuration is saved in data/integrations/event-forwarder.
  • The Carbon Black EDR data folder is re-used

What to do next

To stop the Event Forwarder docker container, (when needed), go to the directory that contains the event-forwarder.yml file and issue the following command:

docker-compose -f event-forwarder.yml down