Carbon Black EDR User Activity API Audit Logging

You can enable API audit logging for a server by setting EnableExtendedApiAuditLogging=True in the cb.conf configuration file (see the Carbon Black EDR Server Configuration Guide). In this case, Carbon Black EDR logs all REST API requests from either the console or other sources (such as scripts).

API audit log information is stored in the /var/log/cb/audit/useractivity.log file, and also appears as follows:

In the User Management section of the Carbon Black EDR console, under Request Information on the Activity Audit tab.

In a CSV file downloaded from the Activity Audit tab, as in the following example:

2017-12-22 11:30:54:  username='bill' userid='1' ip='::ffff:111.111.1.1' status='200' method='GET' path='/api/v2/sensor'
2017-12-22 11:30:54:  username='bill' userid='1' ip='::ffff:111.111.11.1' status='200' method='GET' path='/api/v1/alert'
2017-12-22 11:30:55:  username='bill' userid='1' ip='::ffff:111.111.11.1' status='200' method='GET' path='/api/v1/detect/report/currentmonitoringstatus'