You can use Carbon Black EDR syslog templates to build custom-formatted syslog notifications for Carbon Black EDR watchlist hits, feed hits, and binary information events.
Syslog output is formatted using Jinja2 templates. A command line utility at /usr/share/cb/cbsyslog supports:
# /usr/share/cb/cbsyslog --help
Usage: cbsyslog.py [options]
This utility provides an interface for testing Carbon Black EDR’s notifications syslog output. The interface options are as follows.
Syslog notification testing utility (cbsyslog) options
Option |
Description |
---|---|
-h, --help |
Displays a help message and then closes the message. |
-v, --verbose |
Provides detailed output. |
-l, --list-events |
Outputs the list of events, which can be sent to syslog, and then exits. |
-e EVENT_NAME, --event=EVENT_NAME |
Identifies specific event types. Use the
Note:
Some event output of the |
-g, --get |
Saves the system default templates to the current directory. |
-t TEMPLATE, --template=TEMPLATE |
Formats the syslog message using the specified template instead of the system default. |
-f, --fire |
Formats and sends an event through the syslog message system. For example, you can use this option to manually execute the same process that occurs when the Carbon Black EDR server sends an event to syslog when there is a hit. |
-q QUERY, --query=QUERY |
Processes the first Solr doc that matches the query string. You can use this query to identify which document to test with. |