Environment
- EDR Server: 7.7.x and higher
- Event Forwarder: 3.8.4
Symptoms
After adding the variable remove_from_output in the cb-event-forwarder.conf file and restarting the Event Forwarder, the fields listed to exclude continue to appear in the json output.
Cause
Upgrading from v3.7.6 to v3.8.4 broke the ability to remove, or exclude, fields written to the json file. CB-40736.
Resolution
No workaround is currently available (Nov 2022).
Additional Notes
- The EF variable 'remove_from_output' is a key element in fine-tuning the Rabbitmq data forwarded to the SIEM.
Related Content