Just Published! Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

Carbon Black Cloud: How To Configure The Syslog Connector (Linux)

Carbon Black Cloud: How To Configure The Syslog Connector (Linux)

Environment

  • Carbon Black Cloud: All Supported Versions
  • RHEL/CentOs: All Supported Versions

Objective

How to set up the new cbc-syslog connector from https://pypi.org/project/cbc-syslog/#description

Resolution

  1. Install cbc_syslog with pip 
    pip install cbc-syslog
  2. Download cbc_syslog-1.0.0.tar.gz to syslog server and untar it 
    tar -zxvf cbc_syslog-1.0.0.tar.gz
  3. Move to the directory containing cb_defense_syslog.py 
    cd cbc_syslog-1.0.0/src/cbc_syslog
  4. Copy Sample Config File from here into a .conf using your preferred text editor 
    vi syslog.conf
  5. Modify values according to CB-Defense-How-to-configure-cb-defense-syslog-conf-for-SIEM
  6. Create a .txt file for logs 
    touch log.txt
  7. Verify version 2.7 of python is installed 
    python --version
  8. Run the command to initiate the python script with the -l for log file location and -c for config file location 
    python cb_defense_syslog.py -l log.txt -c syslog.conf

Additional Notes

  • The example sample is at the bottom of cbc-syslog
  • The code samples are just examples of what could be used 
  • If not all python modules are installed a message similar to "ImportError: NO module named requests" may occur
  • This document assumes that pip and python are installed. 
  • To move audit logs to a SIEM configure both an API and a SIEM connector in the Carbon Black Cloud console and include the values in the .conf
  • The setup may fail with an ImportError if a newer version of markupsafe is installed so it may be needed to specifically install version 2.0.1

Related Content


Was this article helpful? Yes No
100% helpful (2/2)
Article Information
Author:
Creation Date:
‎09-04-2020
Views:
5328
Contributors