To collect events from Carbon Black, you must install and configure cb-event-forwarder to
send Carbon Black events to IBM
QRadar.
Before you begin
Install the Carbon Black Enterprise RPM and ensure that it is running. You can install the
cb-event-forwarder on any 64-bit Linux computer that is running CentOS 6.x. It can be installed on
the same computer as the Carbon Black server, or on another computer. If you are forwarding many
events, for example, all file modifications, registry modifications, or both, to QRadar, install
cb-event-forwarder on a separate server. If you are not forwarding many events
to QRadar, you can install the
cb-event-forwarder on the Carbon Black server.
If you are installing the cb-event-forwarder on a computer other than the Carbon Black server,
you must configure the Carbon Black server:
- Ensure that TCP port 5004 is open through the iptables firewall on the Carbon Black server. The
event-forwarder connects to TCP port 5004 on the Carbon Black server to connect to the Cb message
bus.
- Get the RabbitMQ user name and password from the /etc/cb/cb.conf file on
the Carbon Black server. Search for the RabbitMQUser and RabbitMQPassword variables and note their
values.
About this task
You can find the following instructions, source code, and
quick start guide on the GitHub website (https://github.com/carbonblack/cb-event-forwarder/).
Procedure
- If it is not already installed, install the CbOpenSource
repository:
cd /etc/yum.repos.dcurl -O https://opensource.carbonblack.com/release/x86_64/CbOpenSource.repo
- Install the RPM for cb-event-forwarder:
yum install cb-event-forwarder
- Modify the /etc/cb/integrations/event-forwarder/cb-event-forwarder.conf file
to include udpout=<QRadar_IP_address>:514,
and then specify LEEF as the output format: output_format=leef.
- If you are installing on a computer other than the Carbon
Black server, copy the RabbitMQ user name and password into the rabbit_mq_username and rabbit_mq_password variables
in the /etc/cb/integrations/event-forwarder/cb-event-forwarder.conf file.
In the cb_server_hostname variable, enter the host
name or IP address of the Carbon Black server.
- Ensure that the configuration is valid by running the cb-event-forwarder
in check mode:
/usr/share/cb/integrations/event-forwarder/cb-event-forwarder
-check.
If valid, the message Initialized
output displays. If there are errors, the errors are printed
to your screen.
- Choose the type of event that you want to capture.
By default, Carbon Black publishes the all feed and watchlist
events over the bus. If you want to capture raw sensor events or all
binaryinfo notifications, you must enable those features in the /etc/cb/cb.conf file.
- To capture raw sensor events, edit the DatastoreBroadcastEventTypes option
in the /etc/cb/cb.conf file to enable broadcast
of the raw sensor events that you want to export.
- To capture binary observed events, edit the EnableSolrBinaryInfoNotifications option
in the /etc/cb/cb.conf file and set it to True.
- If any variables were changed in /etc/cb/cb.conf,
restart the Carbon Black server: "service cb-enterprise restart".
- Start the cb-event-forwarder service by using the initctl
command:
initctl start cb-event-forwarder
. Note: You
can stop the cb-event-forwarder service by using the initctl command: initctl
stop cb-event-forwarder
.