DOC-11477 - Bit9 Carbon Black - Integration Details

Summary:

This document provides detailed instructions for setting up a connector between Carbon Black and ArcSight Logger using Syslog. The process involves creating a UDP receiver in ArcSight Logger, configuring Carbon Black with specific settings, and adjusting rsyslog configuration on the Carbon Black server. Additionally, it includes steps to test the connection and troubleshoot potential issues.

Details:

The provided instructions outline the steps required to set up a connector between Carbon Black and ArcSight Logger using Syslog. Here's a summarized version of what needs to be done: 1. **Create a UDP Receiver in ArcSight Logger:**

• Log into the logger web console at `https://Logger IP Address:443`.

• Navigate to the Configuration tab, then select "Event Input".

• Click "Add" and create a new receiver.

• Name it, choose "UDP Receiver | CEF UDP Receiver", and proceed with default settings.

• Assign an available port other than 514 (e.g., use dynamic ports).

• Set the source type to either Syslog or CEF depending on your template usage.

• Click "Save" and then enable the receiver.

2. **Configure Carbon Black:**

• SSH into the Carbon Black server using `ssh root@carbonblackserver`.

• Edit the `cb.conf` file with a preferred text editor like `vi`:

```bash vi /etc/cb/cb.conf ```

• Add the following lines to configure watchlist searcher for default CEF templates:

```plaintext WatchlistSyslogTemplateProcess=/usr/share/cb/syslog_templates/process_cef.txt WatchlistSyslogTemplateBinary=/usr/share/cb/syslog_templates/binary_cef.txt ```

• Save and close the file, then restart the enterprise services:

```bash service cb-enterprise restart ``` 3. **Configure rsyslog for Carbon Black:**

• Edit the `cb-coreservices.conf` file to include specific lines for ArcSight Logger integration:

```bash vi /etc/rsyslog.d/cb-coreservices.conf ```

• Locate and modify the following lines under `cb-notifications`:

```plaintext if $programname == 'cb-notifications' then /var/log/cb/notifications/cb-all-notifications.log;CbLogFormatWithPID & @ArcSight Logger IP:UDP Port; CbLogFormatWithPID ```

• For `cb-notifications-`, similarly add the line:

```plaintext if $programname == 'cb-notifications-' then ? DynaFile;CbLogFormatWithPID ``` By following these steps, you will have successfully integrated Carbon Black with ArcSight Logger using Syslog. To configure ArcSight Logger to collect logs from Carbon Black using Syslog, follow these steps: 1. **Add a Specific Line for Logging:**

• Add the line `& @ArcSight Logger IP:UDP Port; CbLogFormatWithPID` in your syslog configuration file.

• If you need to specify a particular watchlist log, use the format: `if $programname == 'cb-notifications' then /var/log/cb/notifications/cb-all-notifications.log;CbLogFormatWithPID & @ArcSight Logger IP:UDP Port; CbLogFormatWithPID`.

• If you need to specify a watchlist by its number, use the format: `if $programname == 'cb-notifications-' then /var/log/cb/notifications/cb-all-notifications.log;CbLogFormatWithPID & @ArcSight Logger IP:UDP Port; CbLogFormatWithPID`.

2. **Restart the rsyslog Service:**

• Run the command `service rsyslog restart` to apply the changes.

3. **Test with Sample Traffic:**

• Use the cbsyslog utility `/usr/share/cb/cbsyslog` to generate log entries for testing. For example, use:

```bash /usr/share/cb/cbsyslog –f –e watchlist.hit.process ```

• This will create a log entry that should be pushed to the ArcSight Logger on the next transfer interval.

4. **Troubleshooting:**

• Verify that traffic is being sent to the Logger by checking the logs or using network monitoring tools.

• Ensure the receiver port on the logger is open and not blocked in the local firewall.

• If there's a firewall between Carbon Black server and ArcSight, verify that there's a route and an open port rule.

By following these steps, you can successfully configure your system to send logs from Carbon Black to ArcSight Logger using Syslog.