The cool thing about Cb Response is, you can make SYSLOG messages be literally any format you want, standard or non-standard. Altering the basic format is done by making edits to /etc/rsyslog.d/cb-coreservices.conf. Altering the contents of the "msg" parameter involves changes to templates in "/usr/share/cb/rsyslog". All this is documented, per the information in Chapter 5, in our "Cb Response Integration Guide" at https://community.carbonblack.com/docs/DOC-6708.
Specifically for BSD syslog format (per RFC 3164), if you need support for that, do the following:
(RFC 3164 format is not related to what's in the "msg" part of the SYSLOG transmission. It has to do more with the so-called "headers." So you just need to edit cb-coreservices.conf. You don't have to mess around with the templates.)
- Find the line that starts with
$template CbSyslogStandardFormatWithPID - Create a new line below it that looks like this:
$template CbSyslogRFC3164Format,"%timegenerated% %source% %programname%[%procid%]: %msg%\n" - Now, in all the lines down below that start with "if $programname", wherever you see the string "CbSyslogStandardFormatWithPID", replace it with "CbSyslogRFC3164Format". Make sure it's only that one string you replace. It does not occur on all the lines, only some.
You may need to restart the "rsyslogd" process for the changes to take effect.
