We will make settings via Carbon Black Response to send Log to Splunk SIEM via Carbon Black EDR. First, the “Event Forwarder” module must be installed from the Carbon Black Master server. Then, we click on the “Event Forwarder” tab over Carbon Black EDR as below.
Then we select “Syslog” in the “Type” tab in the “Output” section below. Then, in the “Syslog destination” section, we enter the format-IP and port information of the Siem server. For example, you can define it as “udp:192.168.10.11:514“. An example is also shown in the picture. In the “Format” section, we select “JSON“. Save by clicking the “Save” button above. We also stop the service by clicking the “Stop service” button on the right. We start the service by clicking the “Start service” button again. Finally, you can check from Siem whether the log is gone or not.