You can direct all watchlist output a specific remote device by adding the remote device IP address to the cb-all-notifications parameter in the /etc/rsyslog.d/cb-coreservices.conf file.

Procedure

  1. Log into the Carbon Black EDR console.
  2. Edit the cb-coreservices.conf file as shown in the following example: vi /etc/rsyslog.d/cb-coreservices.conf.
  3. Add the following line ( highlighted ) to the configuration file under the cb-allnotifications line: 
    if $programname == 'cb-notifications' then /var/log/cb/notifications/cb-allnotifications.log;CbLogFormatWithPID  & @<remote device IP address>:<UDP port>;CbLogFormatWithPID & ~
  4. Restart the rsyslog daemon so that the changes take effect: service rsyslog restart.
  5. Verify that the data is now present on the remote device.