logo

Knowledge Base

Access official resources from Carbon Black experts

Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

EDR: Event Forwarder remove_from_output Broken in v3.8.4

EDR: Event Forwarder remove_from_output Broken in v3.8.4

Environment

  • EDR Server: 7.7.x and higher
  • Event Forwarder: 3.8.4

Symptoms

After adding the variable remove_from_output in the cb-event-forwarder.conf file and restarting the Event Forwarder, the fields listed to exclude continue to appear in the json output.

Cause

Upgrading from v3.7.6 to v3.8.4 broke the ability to remove, or exclude, fields written to the json file.  CB-40736.

Resolution

No workaround is currently available (Nov 2022).

Additional Notes

  • The EF variable 'remove_from_output' is a key element in fine-tuning the Rabbitmq data forwarded to the SIEM.

Related Content


Labels (1)
Labels:
Tags (2)
Was this article helpful? Yes No
No ratings
Article Information
Author:
CB_Support
Creation Date:
‎11-10-2022
Views:
414
Contributors
logo

Copyright © 2005-2023 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.