Skip to content

Configure your Carbon Black instance to generate and send events to Splunk

Configure your Carbon Black instance to send JSON formatted data to Splunk:

  1. Install the latest version of cb-event-forwarder, which is an open-source utility to send JSON formatted data to Splunk.
  2. Follow the steps at cb-event-forwarder GitHub repository.

Though Carbon Black supports data collection using file monitoring or HEC, avoid file monitoring for data collection if possible. File monitoring requires the user to point to the location of individual JSON files, which can lead to errors. Do not configure HEC and file monitoring together, as this leads to data duplication.

Configure HEC inputs for the Splunk Add-on for Carbon Black

Configure HEC to ingest Carbon Black data.

  1. Create a new HEC input from Splunk UI by following the steps in Set up and use HTTP Event Collector in Splunk Web.

  2. Add the Splunk stanza, if not already present, to the cb_event_forwarder file. Specify the HEC token for the hec_token stanza in cb-event-forwarder.conf. For version 2.1.0 onwards, the HEC raw endpoint is used to collect data. Add the http_output_format to separate events. The final stanza should look like this:

    [splunk]
http_post_template={{range .Events}}{{.EventText}}"||"{{end}}
client_key = /etc/cb/integrations/event-forwarder/client-key.pem
server_cname = your-splunk-server-name
tls_verify = false
insecure_tls = false
bundle_send_timeout = 60
upload_empty_files = false
bundle_size_max = 10485760
hec_token = <configured_hec_token>

  3. Replace the splunkout URL with the HEC raw endpoint. Optionally, if your HEC token has Indexer Acknowledgement enabled, add a unique channel ID against the splunkout argument in the bridge stanza:

    splunkout = https://<your-splunk-HEC-endpoint>:8088/services/collector/raw?channel=<unique_channel_id>

  4. Restart the event forwarder and check for events.

Configure monitor inputs for the Splunk Add-on for Carbon Black

Configure a data collection node in the Splunk platform to monitor the JSON file generated by the script provided by Carbon Black. See Hardware and software requirements for the Splunk Add-on for Carbon Black for information about this script. You can use either Splunk Web to create monitor tasks or configure inputs.conf directly.

Configure Monitoring through Splunk Web

If you have access to Splunk Web on your data collection node, follow the steps:

  1. Log into Splunk Web.
  2. Navigate to Settings, then select Data inputs, and select Files & directories.
  3. Select New.
  4. Select Browse next to the File or Directory field and navigate to the directory where the Carbon Black Event Forwarder utility has generated the JSON file.
  5. On the Whitelist page, add a regular expression so that Splunk Enterprise only monitors the required JSON files, then select Next. For example, .*\.json(\.[\d\-T:\.a-z]*)? will match the following types of files:
    • event_bridge_output.json.2019-05-13T11:41:28.167.restart
    • event_bridge_output.json.20190417
    • event_bridge_output.json.
  6. On the Sourcetype page, select Manual to enter a source type manually.
  7. Type the following in the Sourcetype field: bit9:carbonblack:json.
  8. Select Review.
  9. After reviewing the information, select Submit.

After you configure monitoring, verify that data is being ingested into the Splunk platform by using the following search command to check that events are returned:

sourcetype=bit9:carbonblack:json

Configure inputs.conf

The Splunk Add-on for Carbon Black includes a file named inputs.conf.template that you can use as a template to create an inputs.conf file on your data collection node.

  1. Copy the file named inputs.conf.template in the $SPLUNK_HOME/etc/apps/Splunk_TA_bit9-carbonblack/default folder to the $SPLUNK_HOME/etc/apps/Splunk_TA_bit9-carbonblack/local folder.

  2. Open the inputs.conf.template file in a text editor. The contents look like this:

    [monitor://<path_of_the_directory_containing_json_file>]
sourcetype = bit9:carbonblack:json
whitelist = <regex_to_match_json_files>

  3. Replace <path_of_the_directory_containing_json_file> with the actual path of the directory where the JSON file is generated.

  4. Replace <regex_to_match_json_files> with a regular expression to monitor the required JSON files. For example, .*\.json(\.[\d\-T:\.a-z]*)? will match the following types of files:
    • event_bridge_output.json.2019-05-13T11:41:28.167.restart
    • event_bridge_output.json.20190417
    • event_bridge_output.json.
  5. Rename the file to inputs.conf.
  6. Restart your data collection node for the changes to take effect.

Once you configure monitoring, verify that data is being ingested into the Splunk platform by using the following search command to check that events are returned:

sourcetype=bit9:carbonblack:json