Environment
- EDR Event Forwarder: All Supported Versions Except For v3.8.4
- EDR Server: All Supported Versions
Question
- Can EDR Event Forwarder filter data?
Answer
- Yes, fields can be filtered within Event Forwarder.
- Add the following to the /etc/cb/integrations/event-forwarder/cb-event-forwarder.conf configuration file if missing: remove_from_output="field to be filtered"
- Example below would be for filtering out command lines from being forwarded:
remove_from_output=command_line,cmdline
Additional Notes
In Event Forwarder v3.8.4 remove_from_output variable functionality is broken.
Related Content
