Environment
- EDR Server: All Versions
- SIEM
- Rsyslog
Objective
How to customize Syslog templates
Resolution
- Find the templates that you will be modifying
- Base templates can be dropped in the current working directory
/usr/share/cb/cbsyslog -g
- CEF format templates can be found here:
/usr/share/cb/syslog_templates
- Open /etc/cb/cb.conf and add configuration based on the templates you will be customizing
BinaryInfoSyslogTemplateGroupObserved=<path and filename>
BinaryInfoSyslogTemplateHostObserved=<path and filename>
BinaryInfoSyslogTemplateObserved=<path and filename>
FeedIngressSyslogTemplateBinary=<path and filename>
FeedIngressSyslogTemplateProcess=<path and filename>
FeedIngressSyslogTemplateHost=<path and filename
FeedStorageSyslogTemplateBinary=<path and filename>
FeedStorageSyslogTemplateProcess=<path and filename>
WatchlistSyslogTemplateBinary=<path and filename>
WatchlistSyslogTemplateProcess=<path and filename>
FeedQuerySyslogTemplateBinary=<path and filename>
FeedQuerySyslogTemplateProcess=<path and filename>
- Review the CB Response Integration Guide for the event type you would like to modify and what additional fields are available
- What to add:
NOTE: <tag> will be what you are mapping to in the SIEM. <key> is the value in the integration doc
- Base Templates will be in this format
<tag>='{{doc["<key>"]}}
- CEF Templates will be in this format
<tag>:{{doc["<key>"]|cef_escape}}
- Save templates
- Restart Services Cb Response: How to restart the server services
Additional Notes
- Some fields are not available depending on event type. For example, cmdline is not available for ingress events, but is available for storage events. Command Line is only available after the event is indexed to Solr.
- Template headers are set in the /etc/rsyslog/cb-coreservices.conf
Related Content
