Environment

• Carbon Black Console
• Carbon Black Cloud Syslog Connector: All Supported Versions

Objective

Resolution

1. CBC Connector ID
2. CBC API Key (from your SIEM connector)
3. The correct API URL is being used, for a full list of URLs check here 

[cbdefense1]
# Cb Defense Connector ID
connector_id = TSDTG351A1
# Cb Defense API Key
api_key = NASD4342562IZ39EMMSDA2
# Cb Defense Server URL
server_url = https://api5.conferdeploy.net # Prod02 URL

3. Check the cb-defense-syslog.log file for HTTP or Authentication errors found here /var/log/cb/integrations/cb-defense-syslog/cb-defense-syslog.log

4. Test connectivity through on-prem firewalls to your backend API URL

1. Create a new API connector type from within the console
2. Run this command: curl -H X-Auth-Token:API_KEY/CONNECTOR_ID https://api5.conferdeploy.net/integrationServices/v3/device
3. If this command worked then connectivity has been verified, try re-creating your SIEM connector and update your keys within the .conf file
4. If this fails, check firewall rules (local and site) to ensure proper exclusions are in place per these documents: Endpoint Standard: Sensor Will Not Register Or Receive Updates When Behind Proxy Or Firewall Carbon Black Cloud: What URLs are Used to Access the APIs?
5. If connectivity is still failing after the firewall rules have been checked, collect a network packet capture, the cb-defense-syslog.log and cb-defense-syslog.conf and create a ticket with support

5. If events are not being received verify:

1. The connectivity checks listed above are passed and no errors are found in the cb-defense-syslog.log file
2. Ensure a Notification has been created and tied to the Connector from the console
3. From the Connectors page select the Notifications Icon and verify alerts are being "Sent". If "NOT_TRIGGERED" is listed, adjust your Notification rules accordingly

Related Content