Back to Blogs

CBC Data Forwarder vs CBC Syslog

Posted on June 15, 2020

---

Do you need to forward Carbon Black Cloud data to your environment?

There are two tools that exist to help forward Carbon Black Cloud data, the Carbon Black Cloud Data Forwarder or Carbon Black Cloud Syslog.

The Carbon Black Cloud Data Forwarder is the recommended best practice as the tool is integrated into the Carbon Black Cloud and provides improved scaling for large volumes of data. The data forwarder is capable of forwarding both alerts and events to an S3 bucket. See the Configuration API for information on filtering events. Alternative destinations will come in future releases.

The Carbon Black Cloud Syslog forwarder utilizes python and Carbon Black Cloud APIs to fetch notifications and audit logs. The notification and audit log APIs have a FIFO, first in first out, queue like behavior so every call made to the endpoint consumes a portion of the queue which provides the latest notifications and audit logs. The data is converted into a syslog either in LEEF or CEF format and sent over udp, tcp, tcp+tls or http.

How can I choose a forwarder?

Right away the methods each forwarder utilizes can dictate whether that solution will work. If you are unable to use Amazon Web Services then the Carbon Black Cloud Data Forwarder will not work. The same would go for the Carbon Black Cloud Syslog forwarder if the system does not support syslog data through HTTP transportation or you are unable to host a server to automate the python script.

If your organization generates large volumes of data (alerts and events) then the Carbon Black Cloud Data Forwarder will be able to handle the constant flow and any bursts of activity. If storage or data transfer cost is a concern, then the Carbon Black Cloud Syslog forwarder with the notification rules offer a filtration on alerts. Notifications only provide a summary of an alert, so there may be fields that will require additional API calls to be made. With large volumes of alerts the time to fetch the details for each notification may cause a backlog of notifications to build. In this case, the Carbon Black Cloud Data Forwarder configured for both alerts and events will allow for quicker processing and lookup.

Resources

Carbon Black Cloud Data Forwarder

• Read the Data Forwarder Configuration Documentation
• Follow the step-by-step guide

Carbon Black Cloud Syslog

• Read the Carbon Black Cloud Syslog Connector Documentation
• Read How to Create a Cron Job
• Read How to Create a Scheduled Task