Environment
- Carbon Black Cloud Web Console: All Versions
- EndPoint Standard: All Versions
- Enterprise EDR: All Versions
- CBC Syslog Connector: All Versions
Objective
How to configure the cb-defense-syslog.conf file used by the Carbon Black Cloud Syslog Connector
Resolution
The following table explains all the configurable fields in the configuration file, and what is required:
| Input | Required | Description |
|---|
| template | Y | Template for syslog output. |
| back_up_dir | Y | Location of the Backup Directory. This will be the location of back up files in the event that results fail to send to Syslog |
| policy_action_severity | Y | This sets the default severity level for POLICY_ACTION notifications. By default it is 4. |
| output_format | Y | Output format of the data sent. Currently support json, leef, and cef formats |
| output_type | Y | Configures the specific output. Valid options are: 'udp', 'tcp', 'tcp+tls', 'http' |
| tcpout | Y | Output Type: IP:port |
| udp_out | Y | Output Type: IP:port |
| http_out | Y | Output Type: http/https endpoint - ie https://server.company.com/endpoint |
| http_headers | Y | Required if using http: {'key1': 'value1', 'key2': 'value2'} |
| https_ssl_verify | Y | Required if using http: True or False |
| requests_ca_cert | N | Override ca file for self signed certificates when using https |
| ca_cert | N | Specifies a file containing PEM-encoded CA certificates for verifying the peer server when using TLS+TCP syslog |
| cert | N | Specifies a file containing PEM-encoded client certificate for verifying this client when using TLS+TCP syslog |
| key | N | Specifies a file containing PEM-encoded private key for verifying this client when using TLS+TCP syslog |
| key_password | N | Specifies the password to decrypt the given private key when using TLS+TCP syslog |
| tls_verify | N | True or False |
| api_connector_id | Y | API Key from API Access Level API Key |
| api_key | Y | API Secret Key from API Access Level API Key |
| siem_connector_id | Y | API Key from SIEM Access Level API Key |
| siem_api_key | Y | API Secret Key from SIEM Access Level API Key |
| server_url | Y | Server URL (Carbon Black Cloud: What URLs are used to access the APIs?) |
Additional Notes
- The CB PSC Syslog Connector requires the use of a SIEM and API Access Level API Keys.
- If using multiple Cb Defense Servers for this SIEM, you can configure additional servers with their connector_id, api_key, and server_url at the bottom of the config file. An example is included by default. For further help, see: Cb Defense: How to configure the Syslog Connector to pull data from Multiple Orgs
- The leef output version is only version 2.0. version 1.0 is not supported
- For the Syslog Connector to pull information a Notification needs to be setup because it will pull the Alert and Associated Information only for Notifications that were sent. Notifications can be setup per Carbon Black Cloud: How to Add New Notifications
Related Content
