Carbon Black Cloud Syslog Connector
Brand New CBC Syslog 2.0.3 Released
The Syslog Connector lets administrators forward alerts and audit logs from their Carbon Black Cloud instance to local, on-premise systems, and:
- Generates customizable templated syslog messages
- Aggregates data from one or more Carbon Black Cloud organizations into a single syslog stream
- Can be configured to transport syslog messages using one of the following UDP, TCP, encrypted (TCP over TLS), HTTP(S), or local file
For more information on the Syslog Connector checkout the github README
To update from Syslog 1.x, read the migration guide on GitHub
Alternatives
The Data Forwarder is the recommended export method for reliable and guaranteed delivery of Carbon Black Cloud Alerts. This method works at scale to support any size customer or MSSP by writing jsonl zipped content to an S3 bucket. The Data Forwarder can be configured in the Carbon Black Cloud console under Settings > Data Forwarder or using the Data Forwarder API.
The Alerts API can be used to build a custom integration. Further details on how to consume the Alerts API can be found in the Alert Bulk Export Guide.
Requirements
- Any Carbon Black Cloud product
Installation
You can install the Syslog Connector using either PyPI or GitHub.
PyPI Installation
pip install cbc-syslog
GitHub Installation
-
Clone the repository using SSH or HTTPS
SSH git clone git@github.com:carbonblack/cbc-syslog.git HTTPS git clone https://github.com/carbonblack/cbc-syslog.git -
Change to the CBC Syslog directory
cd cbc-syslog -
Install python package
pip install .
Running cbc_syslog_forwarder
The script cbc_syslog_forwarder is installed into the OS bin directory for easy access from any directory
>>> cbc_syslog_forwarder --help
usage: cbc_syslog_forwarder [-h] [--log-file LOG_FILE] [-d] [-v] {poll,history,convert,setup,check} ...
positional arguments:
{poll,history,convert,setup,check}
The action to be taken
poll Fetches data from configured sources and forwards to configured output since last poll attempt
history Fetches data from specified source for specified time range and forwards to configured output
convert Convert CBC Syslog 1.0 conf to new 2.0 toml
setup Setup wizard to walkthrough configuration
check Check config for valid API keys with correct permissions
options:
-h, --help show this help message and exit
--log-file LOG_FILE, -l LOG_FILE
Log file location
-d, --debug Set log level to debug
-v, --verbose Set log level to info
The cbc_syslog_forwarder poll command is designed to be executed in a cronjob or scheduled task for continual syslog forwarding
If you are a first time user try the setup command to walkthrough creating a config file. Feel free to update and customize the config file to meet your needs.
Mac/Linux
Create a file to save the cronjob such as syslog-job.txt. Cronjobs use the UNIX cron format for specifying the schedule for the job to be executed
5 * * * * cbc_syslog_forwarder --log-file /some/path/cbc-syslog.log poll /some/path/my-config.toml
To start the job once the file is created run the following command
crontab syslog-job.txt
Windows
Windows uses Task Scheduler for running scheduled applications.
- Search for Task Scheduler
- Click on Action then Create Task
- Name your Scheduled Task
- Click on the Actions Tab and Click New
- Under Program/script enter
cbc_syslog_forwarder. - Under Add arguments provide the arguments you use to run the poll command with absolute paths to any files
- Click OK
- Click on the Triggers tab and Click New
- Now is the time to schedule your Task. Fill out the information as needed and Click Ok
Your Task has been created! To test your Scheduled Task, follow these instructions below:
- Search for Task Scheduler
- Click on the folder Task Scheduler Library on the left hand column
- Select the Task you want to Test
- Select Run on the Actions column on the right hand column.
For more information on windows task scheduler checkout how to create automated task using task scheduler
Helpful Links
Last modified on March 25, 2024