Just Published! Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

Carbon Black Cloud: How to Configure cb-defense-syslog.conf for Syslog Connector

Carbon Black Cloud: How to Configure cb-defense-syslog.conf for Syslog Connector

Environment

  • Carbon Black Cloud Web Console: All Versions
    • EndPoint Standard: All Versions
    • Enterprise EDR: All Versions
  • CBC Syslog Connector: All Versions

Objective

How to configure the cb-defense-syslog.conf file used by the Carbon Black Cloud Syslog Connector


Resolution

The following table explains all the configurable fields in the configuration file, and what is required:

Input Required Description
templateYTemplate for syslog output.
back_up_dirYLocation of the Backup Directory. This will be the location of back up files in the event that results fail to send to Syslog
policy_action_severityYThis sets the default severity level for POLICY_ACTION notifications. By default it is 4.
output_formatYOutput format of the data sent. Currently support json, leef, and cef formats
output_typeYConfigures the specific output. Valid options are: 'udp', 'tcp', 'tcp+tls', 'http'
tcpoutYOutput Type: IP:port
udp_outYOutput Type: IP:port
http_outYOutput Type: http/https endpoint - ie https://server.company.com/endpoint
http_headersYRequired if using http: {'key1': 'value1', 'key2': 'value2'}
https_ssl_verifyYRequired if using http: True or False
requests_ca_certNOverride ca file for self signed certificates when using https
ca_certNSpecifies a file containing PEM-encoded CA certificates for verifying the peer server when using TLS+TCP syslog
certNSpecifies a file containing PEM-encoded client certificate for verifying this client when using TLS+TCP syslog
keyNSpecifies a file containing PEM-encoded private key for verifying this client when using TLS+TCP syslog
key_passwordNSpecifies the password to decrypt the given private key when using TLS+TCP syslog
tls_verifyNTrue or False
api_connector_idYAPI Key from API Access Level API Key
api_keyYAPI Secret Key from API Access Level API Key
siem_connector_idYAPI Key from SIEM Access Level API Key
siem_api_keyYAPI Secret Key from SIEM Access Level API Key
server_urlYServer URL (Carbon Black Cloud: What URLs are used to access the APIs?)

Additional Notes

  • The CB PSC Syslog Connector requires the use of a SIEM and API Access Level API Keys. 
  • If using multiple Cb Defense Servers for this SIEM, you can configure additional servers with their connector_id, api_key, and server_url at the bottom of the config file. An example is included by default. For further help, see: Cb Defense: How to configure the Syslog Connector to pull data from Multiple Orgs
  • The leef output version is only version 2.0. version 1.0 is not supported
  • For the Syslog Connector to pull information a Notification needs to be setup because it will pull the Alert and Associated Information only for Notifications that were sent. Notifications can be setup per Carbon Black Cloud: How to Add New Notifications

Related Content


Was this article helpful? Yes No
50% helpful (1/2)
Article Information
Author:
Creation Date:
‎11-27-2018
Views:
4293