Perform the following procedure to configure the Event Forwarder in the Carbon Black EDR console.

You do not have to stop the service to configure the Event Forwarder settings; however, you must stop and restart the service for saved changes to take affect.
Note: You cannot save the configuration until after you have established a valid configuration in the Output section of the Event Forwarder Settings page.

Prerequisites

You must have set up the receiving service and credentials before you configure the Event Forwarder for the first time. See https://github.com/carbonblack/cb-event-forwarder.

Carbon Black validates the connection as soon as you click Save; therefore, it is important that the connection is viable before you set up forwarded events. If the connection is not viable, the configuration is not saved.

Procedure

  1. On the navigation bar, click Event Forwarder.
    The Event Forwarder Settings page consists of four sections:

    • Edit and status: Allows you to edit and save or cancel changes to the configuration, displays the service status, and lets you stop/start the service.

    • Events: Identifies the events that will be forwarded.

    • Output: Configures the format and destination for the output.

    • Certificates: Identifies certificates to use for validation.

  2. Click Edit at the top of the page and configure your output in the Output panel.
    The output section in the Event Forwarder Settings page
    1. Click the Format drop-down menu and select the output format. The output can be in either LEEF or JSON format. The default format is JSON.
    2. Select the destination type.

      The required output parameters depend on the destination type. The default destination type is Splunk. Your options are:

  3. Click Save.
    If the connection is viable, the configuration is saved and you can proceed. Saving the configuration immediately updates the configuration file on the server to reflect the changes.
  4. Click Edit. In the Events panel, select the items to be forwarded by checking the checkboxes next to each item. To deselect an item, uncheck the checkbox.
    The events section in the Event Forwarder Settings page
  5. Optionally upload certificates and AWS credentials to validate connections.
    1. In the Output section, click the button for the certificate or credential to upload.
      The certificates and credentials in the Event Forwarder Settings page
    2. In the dialog, specify the file to upload. Click Upload.
  6. Click Save.
  7. Stop and restart the service.
    Note: You can click Cancel to revert to the previous settings.