How To Manually Change Log Source Identifier in VMware Carbon Black Cloud App v2.0 for IBM QRadar

Posted on February 2, 2022

Do I need this change?

VMware Carbon Black Cloud App v2 changed the log source identifier that was used to send the events from CBC to QRadar from cbcloud (in v1.0) to localhost (in v2.0). As a result if you already have any log sources of type syslog that uses localhost as the log source identifier then the events will be processed by the existing DSM and not by the DSM provided by the app. This is expected behavior and will be fixed in the v2.1 release. If you do not have log sources that use localhost for identifier, no change is necessary.

Workaround to fix the log source identifier

First go through the steps below, but the change is non-persistent and will be erased if the docker container restarts. This needs to be monitored and re-modified if the container or QRadar server is restarted. For the changes below you need to have access to the docker container, where the app is running to change the python script and restart the process that pulls the records from Carbon Black Cloud.

  1. Log into the QRadar console and the app’s docker container. (How to connect to app container)
  2. Open the output.py file with text editor, e.g. vi
    vi /opt/app-root/app/utils/output.py and then navigate to the method with /send_syslog
  3. Find the following line of code:
    formatted_msg = time.strftime("%b %d %H:%M:%S").encode("utf-8") + b" localhost " + msg.encode("utf-8") + b"\n"
    Change the string localhost in this message to something else that contains only letters or digits, e.g. carbonblackcloud. After the change, the line should read:
    formatted_msg = time.strftime("%b %d %H:%M:%S").encode("utf-8") + b" carbonblackcloud " + msg.encode("utf-8") + b"\n"
  4. Save the file and close it.
  5. Check all the running processes with:
    ps ax
  6. Find the process that is running the poll.py script (python /opt/app-root/app/poll.py) and kill it with:
    kill -9 <pid>, where <pid> is the pid of the process.
    This restarts the process that pulls the alerts from Carbon Black Cloud, so that the restarted process picks up the manual change in output.py.
  7. Once QRadar receives events from the restarted poll.py script, a Log Source of type syslog with the log source identifier of carbonblackcloud should be created automatically. If not, you must create it manually.
How to check that Log Source is created
  1. Go to IBM QRadar Log Source Management which is found under Admin menu in the Apps section.
  2. Search for Carbon Black Cloud and select and open the Carbon Black Cloud log source.
  3. In the Log Source Summary view, select the Protocol tab. The Log Source Identifier parameter should display the name you used to replace localhost in step 3 of the workaround fix.
  4. If there is no such Log Source, such should be created manually.
Manually create a log source with a proper log source identifier

For QRadar v7.3, the log source may not be created automatically. Use the steps below to create it manually.

  1. Go to IBM QRadar Log Source Management which is found under Admin menu in the Apps section.
  2. Click New Log Source button and select Single Log Source
  3. Select Log Source Type: Carbon Black Cloud
  4. Select
    1. Protocol type: Syslog
    2. Name: Carbon Black Cloud
    3. Extension: CarbonBlackCloudCustom_ext
  5. Configure the protocol parameters
    1. Log Source Identifier: carbonblackcloud (use the same identifier that replaced localhost in step 3 of the workaround fix)
    2. Select UTF-8 for Incoming Payload Encoding