Posted on February 2, 2022
VMware Carbon Black Cloud App v2 changed the log source identifier that was used to send the events from CBC to QRadar from
cbcloud (in v1.0) to
localhost (in v2.0). As a result if you already have any log sources of type syslog that uses
localhost as the log source identifier then the
events will be processed by the existing DSM and not by the DSM provided by the app. This is expected behavior and will be fixed in the v2.1 release.
If you do not have log sources that use
localhost for identifier, no change is necessary.
First go through the steps below, but the change is non-persistent and will be erased if the docker container restarts. This needs to be monitored and re-modified if the container or QRadar server is restarted. For the changes below you need to have access to the docker container, where the app is running to change the python script and restart the process that pulls the records from Carbon Black Cloud.
output.pyfile with text editor, e.g. vi
vi /opt/app-root/app/utils/output.pyand then navigate to the method with
formatted_msg = time.strftime("%b %d %H:%M:%S").encode("utf-8") + b" localhost " + msg.encode("utf-8") + b"\n"
localhostin this message to something else that contains only letters or digits, e.g.
carbonblackcloud. After the change, the line should read:
formatted_msg = time.strftime("%b %d %H:%M:%S").encode("utf-8") + b" carbonblackcloud " + msg.encode("utf-8") + b"\n"
python /opt/app-root/app/poll.py) and kill it with:
kill -9 <pid>, where
<pid>is the pid of the process.
poll.pyscript, a Log Source of type syslog with the log source identifier of
carbonblackcloudshould be created automatically. If not, you must create it manually.
Log Source Identifierparameter should display the name you used to replace
localhostin step 3 of the workaround fix.
For QRadar v7.3, the log source may not be created automatically. Use the steps below to create it manually.
Carbon Black Cloud
Carbon Black Cloud
carbonblackcloud(use the same identifier that replaced localhost in step 3 of the workaround fix)