Environment

• EDR Server: All Versions
• CB Event Forwarder: All Versions

Objective

Resolution

1. Log into the server that will be hosting the event forwarder via SSH/Terminal
2. Download the event forwarder repo

   1. cd /etc/yum.repos.d

   2. curl -O https://opensource.carbonblack.com/release/x86_64/CbOpenSource.repo

   3. yum install cb-event-forwarder

3. On the EDR server, create a new RabbitMQ user and password (Do not use user "cb" that exists for the server) and permissions

   /usr/share/cb/cbrabbitmqctl add_user <username> <password>
   /usr/share/cb/cbrabbitmqctl set_user_tags <username> administrator
   /usr/share/cb/cbrabbitmqctl set_permissions -p / <username> ".*" ".*" ".*"

4. On the event forwarder server, open /etc/cb/integrations/event-forwarder/cb-event-forwarder.conf and enter the credentials you created

   rabbit_mq_username=
   rabbit_mq_password=
   cb_server_hostname=

5. Fill out the remaining info based on how you want to the events forwarded. See: https://github.com/carbonblack/cb-event-forwarder
6. Confirm that you have port 5004 open for communication to the EDR server
7. Start the cb-event-forwarder service

   intictl start cb-event-forwarder

Additional Notes

• The feature to configure the event forwarder via the console is not available to remote event forwarder installations.
• Audit logging is not available to remove event forwarders, on a direct installed event forwarder it pull the audit logs directly from /var/log/cb/audit, in which a remote event forwarder does not have access to get. If possible, setup a local event forwarder that is set to only forward audit logs if the remote forwarder is to reduce load on the EDR server. 

Related Content