Knowledge Base

Yes

Environment

EDR Server: All Versions
Event Forwarder: 3.8.x to 3.8.4

Symptoms

When enabling audit log capture with LEEF format, the format is sent in JSON

Cause

Change in 3.8.x series is not reformatting the logs

Resolution

CB-41266 has been opened to correct this. Please watch for the next release with the fix. Releases · carbonblack/cb-event-forwarder

Workaround:
The only work around at this time is to downgrade to 3.7.6

systemctl stop cb-event-forwarder
cp /etc/cb/integrations/event-forwarder/cb-event-forwarder.conf
yum remove cb-event-forwarder
yum install cb-event-forwarder-3.7.6*
mv /etc/cb/integrations/event-forwarder/cb-event-forwarder.conf /tmp
systemctl start cb-event-forwarder

Knowledge Base

EDR: Event Forwarder Not Sending Audit Logs in LEEF

EDR: Event Forwarder Not Sending Audit Logs in LEEF

Environment

Symptoms

Cause

Resolution

EDR

Hosted EDR

Knowledge Base

EDR: Event Forwarder Not Sending Audit Logs in LEEF

EDR: Event Forwarder Not Sending Audit Logs in LEEF

Environment

Symptoms

Cause

Resolution

EDR

Hosted EDR

Thank you for your feedback.

Thank you for your feedback.