Environment

• Carbon Black Cloud Web Console: All Versions
  • EndPoint Standard: All Versions
  • Enterprise EDR: All Versions
• CBC Syslog Connector: All Versions

Objective

How to configure the cb-defense-syslog.conf file used by the Carbon Black Cloud Syslog Connector

Resolution

• Please review Github documentation located HERE.
• For a sample configuration file please click HERE

Additional Notes

• The CB PSC Syslog Connector requires the use of a SIEM and API Access Level API Keys. 
• If using multiple Cb Defense Servers for this SIEM, you can configure additional servers with their connector_id, api_key, and server_url at the bottom of the config file. An example is included by default. For further help, see: Cb Defense: How to configure the Syslog Connector to pull data from Multiple Orgs
• The leef output version is only version 2.0. version 1.0 is not supported
• For the Syslog Connector to pull information a Notification needs to be setup because it will pull the Alert and Associated Information only for Notifications that were sent. Notifications can be setup per Carbon Black Cloud: How to Add New Notifications

Related Content

GitHub - carbonblack/cbc-syslog: Syslog Connector for the Carbon Black Cloud
GitHub - carbonblack/cbc-syslog: Syslog Connector for the Carbon Black Cloud
https://github.com/carbonblack/cbc-syslog/blob/main/examples/cbc-syslog.toml.example
Cb Defense: How to configure the Syslog Connector to pull data from Multiple Orgs
Cb Defense: What type of IP Addresses can be used for SIEM Connectors?
Cb Defense: What does a Sample Syslog Output look like?
Cb Defense: SIEM/API Error: output_format of json or cef must be specified