Remote devices must be configured with a new receiver to accept the rsyslog feed from Carbon Black EDR.

Whether the remote device is an instance of SPLUNK, ArcSight, or another manager-of-managers platform such as Tivoli, the basic setup requirements are the same.

Note:

The procedure for setting up remote devices differs depending upon the device itself. The basics are described here. Adapt the procedure to your particular platform.

Procedure

  1. Add a new UDP receiver to the remote device.
  2. Enable the new receiver to communicate using a new and unique UDP port number for the communication with Carbon Black EDR. Verify that the receiver is working and listening on the appropriate port.
    Note:

    The system might require the Carbon Black EDR IP address to be authorized prior to accepting data.