Carbon Black Cloud Syslog Connector

Brand New CBC Syslog 2.0.1 Released

The Syslog Connector lets administrators forward alerts and audit logs from their Carbon Black Cloud instance to local, on-premise systems, and:

  • Generates customizable templated syslog messages
  • Aggregates data from one or more Carbon Black Cloud organizations into a single syslog stream
  • Can be configured to transport syslog messages using one of the following UDP, TCP, encrypted (TCP over TLS), HTTP(S), or local file

For more information on the Syslog Connector checkout the github README

To update from Syslog 1.x, read the migration guide on GitHub

Alternatives

The Data Forwarder is the recommended export method for reliable and guaranteed delivery of Carbon Black Cloud Alerts. This method works at scale to support any size customer or MSSP by writing jsonl zipped content to an S3 bucket. The Data Forwarder can be configured in the Carbon Black Cloud console under Settings > Data Forwarder or using the Data Forwarder API.

The Alerts API can be used to build a custom integration. Further details on how to consume the Alerts API can be found in the Alert Bulk Export Guide.

Requirements

  • Any Carbon Black Cloud product
Note: The Syslog Connector is not supported in the AWS GovCloud (US) environment.

Installation

You can install the Syslog Connector using either PyPI or GitHub.

PyPI Installation

pip install cbc-syslog

GitHub Installation

  1. Clone the repository using SSH or HTTPS

     SSH
 git clone git@github.com:carbonblack/cbc-syslog.git

 HTTPS
 git clone https://github.com/carbonblack/cbc-syslog.git

  2. Change to the CBC Syslog directory

     cd cbc-syslog

  3. Install python package

     pip install .

Running cbc_syslog_forwarder

The script cbc_syslog_forwarder is installed into the OS bin directory for easy access from any directory

>>> cbc_syslog_forwarder --help
usage: cbc_syslog_forwarder [-h] [--log-file LOG_FILE] [-d] [-v] {poll,history,convert,setup,check} ...

positional arguments:
  {poll,history,convert,setup,check}
                        The action to be taken
    poll                Fetches data from configured sources and forwards to configured output since last poll attempt
    history             Fetches data from specified source for specified time range and forwards to configured output
    convert             Convert CBC Syslog 1.0 conf to new 2.0 toml
    setup               Setup wizard to walkthrough configuration
    check               Check config for valid API keys with correct permissions

options:
  -h, --help            show this help message and exit
  --log-file LOG_FILE, -l LOG_FILE
                        Log file location
  -d, --debug           Set log level to debug
  -v, --verbose         Set log level to info

The cbc_syslog_forwarder poll command is designed to be executed in a cronjob or scheduled task for continual syslog forwarding

If you are a first time user try the setup command to walkthrough creating a config file. Feel free to update and customize the config file to meet your needs.


Mac/Linux

Create a file to save the cronjob such as syslog-job.txt. Cronjobs use the UNIX cron format for specifying the schedule for the job to be executed

5  *  *  *  *  cbc_syslog_forwarder --log-file /some/path/cbc-syslog.log poll /some/path/my-config.toml

To start the job once the file is created run the following command

crontab syslog-job.txt

Windows

Windows uses Task Scheduler for running scheduled applications.

  1. Search for Task Scheduler
  2. Click on Action then Create Task
  3. Name your Scheduled Task
  4. Click on the Actions Tab and Click New
  5. Under Program/script enter cbc_syslog_forwarder.
  6. Under Add arguments provide the arguments you use to run the poll command with absolute paths to any files
  7. Click OK
  8. Click on the Triggers tab and Click New
  9. Now is the time to schedule your Task. Fill out the information as needed and Click Ok

Your Task has been created! To test your Scheduled Task, follow these instructions below:

  1. Search for Task Scheduler
  2. Click on the folder Task Scheduler Library on the left hand column
  3. Select the Task you want to Test
  4. Select Run on the Actions column on the right hand column.

For more information on windows task scheduler checkout how to create automated task using task scheduler


Give Feedback

Use this form to give us feedback about this site or any of the documentation.


Last modified on November 1, 2023