Splunk® Supported Add-ons

Splunk Add-on for Carbon Black

Configure your Carbon Black instance to generate and send events to Splunk

Configure your Carbon Black instance to send JSON formatted data to Splunk:

  1. Install the latest version of cb-event-forwarder, which is an open source utility to send JSON formatted data to Splunk.
  2. Follow the steps at https://github.com/carbonblack/cb-event-forwarder#readme

Though Carbon Black supports data collection using file monitoring or HEC, avoid file monitoring for data collection if possible. File monitoring requires the user to point to the location of individual JSON files, which can lead to error. Do not configure HEC and file monitoring together, as this leads to data duplication.


Configure HEC inputs for the Splunk Add-on for Carbon Black

Configure HEC to ingest Carbon Black data ingestion.

  1. Create a new HEC input from Splunk UI by following the steps in https://docs.splunk.com/Documentation/Splunk/latest/Data/UsetheHTTPEventCollector.
  2. Add the splunk stanza, if not already present, to the cb_event_forwarder file. Specify the HEC token for the hec_token stanza in cb-event-forwarder.conf. For version 2.1.0 onwards, the HEC raw endpoint is used to collect data. Add the http_output_format as to separate events. The final stanza should look like this:
    [splunk]
    http_post_template={{range .Events}}{{.EventText}}"||"{{end}}
    client_key = /etc/cb/integrations/event-forwarder/client-key.pem
    server_cname = your-splunk-server-name
    tls_verify = false
    insecure_tls = false
    bundle_send_timeout = 60
    upload_empty_files = false
    bundle_size_max = 10485760
    hec_token = <configured_hec_token>
    
    
  3. Replace the splunkout url to the HEC raw endpoint. Optionally, if your HEC token has Indexer Acknowledgement enabled, add a unique channel ID against the splunkout argument in the bridge stanza:
    splunkout = https://<your-splunk-HEC-endpoint>:8088/services/collector/raw?channel=<unique_channel_id>
    
  4. Restart the event forwarder and check for events.


Configure monitor inputs for the Splunk Add-on for Carbon Black

Configure a data collection node in the Splunk platform to monitor the JSON file generated by the script provided by Carbon Black. See Hardware and software requirements for the Splunk Add-on for Carbon Black for information about this script. You can use either Splunk Web to create monitor tasks or configure inputs.conf directly.

Configure Monitoring through Splunk Web

If you have access to Splunk Web on your data collection node:

  1. Log into Splunk Web.
  2. Navigate to Settings > Data inputs > Files & directories.
  3. Click New.
  4. Click Browse next to the File or Directory field and navigate to the directory where Carbon Black Event Forwarder utility has generated JSON file.
  5. On the Whitelist page, add a regular expression so that Splunk Enterprise only monitors the required JSON files, then click Next. For example, .*\.json(\.[\d\-T:\.a-z]*)? will match the following type of files event_bridge_output.json.2019-05-13T11:41:28.167.restart, event_bridge_output.json.20190417, event_bridge_output.json.
  6. On the Sourcetype page, click Manual to enter a source type manually.
  7. Type the following in the Sourcetype field: bit9:carbonblack:json.
  8. Click Review.
  9. After reviewing the information, click Submit.

After you configure monitoring, verify that data is being ingested into the Splunk platform by using the following search command to check that events are returned.

sourcetype=bit9:carbonblack:json

Configure inputs.conf

The Splunk Add-on for Carbon Black includes a file named inputs.conf.template that you can use as a template to create an inputs.conf file on your data collection node.

  1. Copy the file named inputs.conf.template in the $SPLUNK_HOME/etc/apps/Splunk_TA_bit9-carbonblack/default folder to the $SPLUNK_HOME/etc/apps/Splunk_TA_bit9-carbonblack/local folder.
  2. Open the inputs.conf.template file in a text editor. The contents look like this: [monitor://<path_of_the_directory_containing_json_file>]
    sourcetype = bit9:carbonblack:json
    whitelist = <regex_to_match_json_files>
  3. Replace <path_of_the_directory_containing_json_file> with the actual path of the directory where JSON file is generated.
  4. Replace <regex_to_match_json_files> with a regular expression, in order to monitor the required JSON files. For example, .*\.json(\.[\d\-T:\.a-z]*)? will match the following type of files event_bridge_output.json.2019-05-13T11:41:28.167.restart, event_bridge_output.json.20190417, event_bridge_output.json.
  5. Rename the file to inputs.conf.
  6. Restart your data collection node in order for the change to take effect.

Once you configure monitoring, verify that data is being ingested into the Splunk platform by using the following search command to check that events are returned.

sourcetype=bit9:carbonblack:json

Last modified on 15 March, 2022
Upgrade the Splunk Add-on for Carbon Black   Troubleshoot the Splunk Add-on for Carbon Black

This documentation applies to the following versions of Splunk® Supported Add-ons: released


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters