Posted on December 10, 2015
In general, the new cb-event-forwarder 3.0 is designed to be a drop-in replacement for previous versions of the
event forwarder. There are a few bug fixes, configuration changes and enhancements of note. The most important change is that the service is now managed by the “upstart” system in CentOS 6. The service
command is no longer used to control the service; instead use start cb-event-forwarder
and stop cb-event-forwarder
to manually start and stop the service.
Upgrades should be transparent via yum upgrade cb-event-forwarder
. For best results, stop the old cb-event-forwarder service before upgrading. Note that the old cb-event-forwarder had bugs that resulted in zombie processes left even after the service is stopped; it is recommended to killall cb-event-forwarder
before upgrading as well to kill those zombie processes.
The configuration file location still defaults to /etc/cb/integrations/event-forwarder/cb-event-forwarder.conf
and
most existing configuration files will work unchanged with this new version.
The following changes have been made to the configuration file in version 3.0:
The S3 output now expects the AWS credentials to be placed in the AWS standard locations for the API. The
aws_key
and aws_secret
options are now ignored.
aws configure
to configure them interactivelyAWS_ACCESS_KEY_ID
, AWS_SECRET_ACCESS_KEY
, etc.~/.aws/credentials
on Linux and Mac OS XThe S3 output now supports changing the region and temporary directory from the s3out
configuration option.
s3out=(temp-file-directory):(region):(bucket-name)
There is a new option, http_server_port
which defaults to 33706.
The message_processor_count
configuration option is now ignored.
There is a new option, output_format
for switching between LEEF and JSON output formats
The stdout
output option has been removed.
The tcp
output now places a newline (\r\n
) between each event in the output stream
Bugfix: the output from the childproc
event type now contains the correct process_guid
value
Bugfix: the output from the procend
event type now contains the MD5 from the process that exited in the md5
value
The daemon is now managed by the “upstart” system in CentOS 6.
start
and stop
commands to control the daemon: start cb-event-forwarder
.The daemon now supports the SIGHUP
signal.
file
output, SIGHUP
will immediately roll over the event files3
output, SIGHUP
will immediately roll over the current log and flush the logs to S3The cb-event-forwarder now starts an HTTP server on port 33706 with configuration and status reporting. A raw JSON output is available on http://:33706/debug/vars. Note that this port may have to be opened via iptables for it to be accessed remotely.