Announcing Auditlog Forwarding for the Carbon Black Cloud Data Forwarder
Posted on June 9, 2025
Data Forwarder Support for CBC Audit Log
As a Carbon Black Cloud customer, archiving the Audit Log data has only been possible via UI export or via API until now. With this Data Forwarder release, you can now stream the Audit Log data in real time from Carbon Black Cloud to your favourite data lake, SIEM or custom integration.
Every entry you find in the Audit Log - whether browsing via the Settings > Audit Log page, or by using the API directly - will stream automatically to a well-configured Data Forwarder whose type = auditlog. This makes available all CBC logins, API access sessions, configuration changes and many kinds of data access that are already being logged in the CBC Audit Log. And it uses exactly the same data schema as the latest Audit Log API.
As with all other CBC Data Forwarder types, the Audit Log forwarder fully supports Semantic Versioning, and initially releases with a v1.0.0 schema and can be configured with Schema updates (version_constraint in the API) of 1.0.0 (pinned), 1.0.* (patch) or 1.. (minor).
This means that Data Forwarder users can opt-in for automatic upgrades of their Audit Log forwarder, as and when new Auth Event forwarder schemas are released in the future, just like with all other Data Forwarder types that support Semantic Versioning.
Resources
- Release Notes
- Audit Log Forwarder schema v1.0
- Data Forwarder Configuration API
- User Guide - Data Forwarder
Have questions or feedback?
- Use the Developer Community Forum to discuss issues and get answers from other API developers in the Carbon Black Community
- Report bugs and concerns to Carbon Black Support
- Subscribe to the Developer Network Newsletter