You can direct all watchlist output a specific remote device by adding the remote device IP address to the cb-all-notifications
parameter in the /etc/rsyslog.d/cb-coreservices.conf file.
Procedure
- Log into the Carbon Black EDR console.
- Edit the cb-coreservices.conf file as shown in the following example: vi /etc/rsyslog.d/cb-coreservices.conf.
- Add the following line ( highlighted ) to the configuration file under the
cb-allnotifications
line:
if $programname == 'cb-notifications' then /var/log/cb/notifications/cb-allnotifications.log;CbLogFormatWithPID & @<remote device IP address>:<UDP port>;CbLogFormatWithPID & ~
- Restart the rsyslog daemon so that the changes take effect:
service rsyslog restart
.
- Verify that the data is now present on the remote device.