You can use Carbon Black EDR syslog templates to build custom-formatted syslog notifications for Carbon Black EDR watchlist hits, feed hits, and binary information events.

Syslog output is formatted using Jinja2 templates. A command line utility at /usr/share/cb/cbsyslog supports:

# /usr/share/cb/cbsyslog --help 
Usage: cbsyslog.py [options]

This utility provides an interface for testing Carbon Black EDR’s notifications syslog output. The interface options are as follows.

Syslog notification testing utility (cbsyslog) options

Option

Description

-h, --help

Displays a help message and then closes the message.

-v, --verbose

Provides detailed output.

-l, --list-events

Outputs the list of events, which can be sent to syslog, and then exits.

-e EVENT_NAME, --event=EVENT_NAME

Identifies specific event types. Use the --listevents option for a list of event names that can be passed here.

Note:

Some event output of the cbsyslog -e contains sample data, while other output contains the results from actual database queries. See the output results to determine if the data is sample data; sample data contains a string such as " "*** Note: This event type uses example content for testing ***" .

-g, --get

Saves the system default templates to the current directory.

-t TEMPLATE, --template=TEMPLATE

Formats the syslog message using the specified template instead of the system default.

-f, --fire

Formats and sends an event through the syslog message system. For example, you can use this option to manually execute the same process that occurs when the Carbon Black EDR server sends an event to syslog when there is a hit.

-q QUERY, --query=QUERY

Processes the first Solr doc that matches the query string. You can use this query to identify which document to test with.