Environment
- EDR Server: All Versions
- CB Event Forwarder: All Versions
Objective
How to setup CB-Event-Forwarder on a separate server
Resolution
- Log into the server that will be hosting the event forwarder via SSH/Terminal
- Download the event forwarder repo
-
cd /etc/yum.repos.d
-
curl -O https://opensource.carbonblack.com/release/x86_64/CbOpenSource.repo
-
yum install cb-event-forwarder
- On the EDR server, create a new RabbitMQ user and password (Do not use user "cb" that exists for the server) and permissions
/usr/share/cb/cbrabbitmqctl add_user <username> <password>
/usr/share/cb/cbrabbitmqctl set_user_tags <username> administrator
/usr/share/cb/cbrabbitmqctl set_permissions -p / <username> ".*" ".*" ".*"
- On the event forwarder server, open /etc/cb/integrations/event-forwarder/cb-event-forwarder.conf and enter the credentials you created
rabbit_mq_username=
rabbit_mq_password=
cb_server_hostname=
- Fill out the remaining info based on how you want to the events forwarded. See: https://github.com/carbonblack/cb-event-forwarder
- Confirm that you have port 5004 open for communication to the EDR server
- Start the cb-event-forwarder service
intictl start cb-event-forwarder
Additional Notes
- The feature to configure the event forwarder via the console is not available to remote event forwarder installations.
- Audit logging is not available to remove event forwarders, on a direct installed event forwarder it pull the audit logs directly from /var/log/cb/audit, in which a remote event forwarder does not have access to get. If possible, setup a local event forwarder that is set to only forward audit logs if the remote forwarder is to reduce load on the EDR server.
Related Content