Environment
- EDR Server: All Versions
- Event Forwarder: 3.8.x to 3.8.4
Symptoms
When enabling audit log capture with LEEF format, the format is sent in JSON
Cause
Change in 3.8.x series is not reformatting the logs
Resolution
CB-41266 has been opened to correct this. Please watch for the next release with the fix.
Releases ยท carbonblack/cb-event-forwarderWorkaround:
The only work around at this time is to downgrade to 3.7.6
- systemctl stop cb-event-forwarder
- cp /etc/cb/integrations/event-forwarder/cb-event-forwarder.conf
- yum remove cb-event-forwarder
- yum install cb-event-forwarder-3.7.6*
- mv /etc/cb/integrations/event-forwarder/cb-event-forwarder.conf /tmp
- systemctl start cb-event-forwarder
