Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Related Documentation


    Carbon Black

    The JSA DSM for Carbon Black collects endpoint protection events from a Carbon Black server.

    The following table describes the specifications for the Carbon Black DSM:

    Table 1: Carbon Black DSM Specifications




    Carbon Black

    DSM name

    Carbon Black

    RPM file name


    Supported versions

    5.1 and later



    Recorded event types

    Watchlist hits

    Automatically discovered?


    Includes identity?


    Includes custom properties?


    More information

    Bit9Carbon Black website (

    To integrate Carbon Black with JSA, complete the following steps:

    1. If automatic updates are not enabled, download and install the most recent version of the following RPMs on your JSA console:

      • Carbon Black DSM RPM

      • DSMCommon RPM

    2. Configure your Carbon Black device to send syslog events to JSA.

    3. If JSA does not automatically detect the log source, add a Carbon Black log source on the JSA console. The following table describes the parameters that require specific values for Carbon Black event collection:

      Table 2: Carbon Black Log Source Parameters



      Log Source type

      Carbon Black

      Protocol Configuration


    Configuring Carbon Black to Communicate with JSA

    To collect events from Carbon Black, you must install and configure cb-event-forwarder to send Carbon Black events to JSA.

    You can find the following instructions, source code, and quick start guide on the GitHub website (

    1. If it is not already installed, install the CbOpenSource repository:
      cd /etc/yum.repos.d
      curl -O
    2. Install the RPM for cb-event-forwarder:
      yum install cb-event-forwarder
    3. Modify the /etc/cb/integrations/event-forwarder/cb-event-forwarder.conf file to include udpout=<JSA_IP_address>:514, and then specify LEEF as the output format: output_format=leef.
    4. If you are installing on a computer other than the Carbon Black server, copy the RabbitMQ user name and password into the rabbit_mq_username and rabbit_mq_password variables in the /etc/cb/integrations/event-forwarder/cb-event-forwarder.conf file. In the cb_server_hostname variable, enter the host name or IP address of the Carbon Black server.
    5. Ensure that the configuration is valid by running the cb-event-forwarder in check mode:

      /usr/share/cb/integrations/event-forwarder/cb-event-forwarder -check.

      If valid, the message Initialized output displays. If there are errors, the errors are printed to your screen.

    6. Choose the type of event that you want to capture.

      By default, Carbon Black publishes the all feed and watchlist events over the bus. If you want to capture raw sensor events or all binaryinfo notifications, you must enable those features in the /etc/cb/cb.conf file.

      • To capture raw sensor events, edit the <DatastoreBroadcastEventTypes> option in the /etc/cb/cb.conf file to enable broadcast of the raw sensor events that you want to export.

      • To capture binary observed events, edit the <EnableSolrBinaryInfoNotifications> option in the /etc/cb/cb.conf file and set it to True.

    7. If any variables were changed in /etc/cb/cb.conf, restart the Carbon Black server: "service cb-enterprise restart".
    8. Start the cb-event-forwarder service by using the initctl command: initctl start cb-event-forwarder.

      Note: You can stop the cb-event-forwarder service by using the initctl command: initctl stop cb-event-forwarder.


    Related Documentation


    Modified: 2017-09-13