Splunk® Supported Add-ons

Splunk Add-on for Carbon Black

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Configure Carbon Black Instance to Generate events to send to Splunk

Configure your Carbon Black instance to send JSON formatted data to Splunk:

  1. Install the latest version of cb-event-forwarder, which is an open source utility to send JSON formatted data to Splunk.
  2. Follow the steps at https://github.com/carbonblack/cb-event-forwarder#readme

Though Carbon Black supports data collection using file monitoring or HEC, avoid file monitoring for data collection if possible. File monitoring requires the user to point to the location of individual JSON files, which can lead to error. Do not configure HEC and file monitoring together, as this leads to data duplication.


Configure HEC inputs for the Splunk Add-on for Carbon Black

Configure HEC to ingest Carbon Black data ingestion.

  1. Create a new HEC input from Splunk UI by following the steps in https://docs.splunk.com/Documentation/Splunk/8.1.3/Data/UsetheHTTPEventCollector.
  2. Mention the hec token against the hec_token in cb-event-forwarder.conf in splunk stanza: [splunk] client_key = /etc/cb/integrations/event-forwarder/client-key.pem server_cname = localhost tls_verify = false insecure_tls = false bundle_send_timeout = 60 upload_empty_files = false bundle_size_max = 10485760 hec_token = <configured_hec_token>
  3. Add a unique channel ID against the splunkout argument in the bridge stanza: splunkout = https://localhost:8088/services/collector?channel=<unique_channel_id>
  4. Restart the event forwarder and check for events.


Configure monitor inputs for the Splunk Add-on for Carbon Black

Configure a data collection node in the Splunk platform to monitor the JSON file generated by the script provided by Carbon Black. See Hardware and software requirements for the Splunk Add-on for Carbon Black for information about this script. You can use either Splunk Web to create monitor tasks or configure inputs.conf directly.

Configure Monitoring through Splunk Web

If you have access to Splunk Web on your data collection node:

  1. Log into Splunk Web.
  2. Navigate to Settings > Data inputs > Files & directories.
  3. Click New.
  4. Click Browse next to the File or Directory field and navigate to the directory where Carbon Black Event Forwarder utility has generated JSON file.
  5. On the Whitelist page, add a regular expression so that Splunk Enterprise only monitors the required JSON files, then click Next. For example, .*\.json(\.[\d\-T:\.a-z]*)? will match the following type of files event_bridge_output.json.2019-05-13T11:41:28.167.restart, event_bridge_output.json.20190417, event_bridge_output.json.
  6. On the Sourcetype page, click Manual to enter a source type manually.
  7. Type the following in the Sourcetype field: bit9:carbonblack:json.
  8. Click Review.
  9. After reviewing the information, click Submit.

After you configure monitoring, verify that data is being ingested into the Splunk platform by using the following search command to check that events are returned.

sourcetype=bit9:carbonblack:json

Configure inputs.conf

The Splunk Add-on for Carbon Black includes a file named inputs.conf.template that you can use as a template to create an inputs.conf file on your data collection node.

  1. Copy the file named inputs.conf.template in the $SPLUNK_HOME/etc/apps/Splunk_TA_bit9-carbonblack/default folder to the $SPLUNK_HOME/etc/apps/Splunk_TA_bit9-carbonblack/local folder.
  2. Open the inputs.conf.template file in a text editor. The contents look like this: [monitor://<path_of_the_directory_containing_json_file>]
    sourcetype = bit9:carbonblack:json
    whitelist = <regex_to_match_json_files>
  3. Replace <path_of_the_directory_containing_json_file> with the actual path of the directory where JSON file is generated.
  4. Replace <regex_to_match_json_files> with a regular expression, in order to monitor the required JSON files. For example, .*\.json(\.[\d\-T:\.a-z]*)? will match the following type of files event_bridge_output.json.2019-05-13T11:41:28.167.restart, event_bridge_output.json.20190417, event_bridge_output.json.
  5. Rename the file to inputs.conf.
  6. Restart your data collection node in order for the change to take effect.

Once you configure monitoring, verify that data is being ingested into the Splunk platform by using the following search command to check that events are returned.

sourcetype=bit9:carbonblack:json

Last modified on 21 July, 2021
PREVIOUS
Upgrade the Splunk Add-on for Carbon Black
  NEXT
Troubleshoot the Splunk Add-on for Carbon Black

This documentation applies to the following versions of Splunk® Supported Add-ons: released


Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters