Configure CB Response LEEF

Prerequisites

Follow the manufacturer’s instructions for installing CB Response and the CB Event Forwarder.
Set the output format for the CB Event Forwarder to LEEF.
Have an Agent with syslog Enabled available to collect the CB Response logs.
Record the IP address of the LogRhythm Agent.

Configure CB Response for Data Collection

Go to etc/cb/integrations/event-forwarder.
Open cb-event-forwarder.conf.
Update the values for the following settings so that they match the ones shown in the table.
Setting Value
tcpout= <IP address of LogRhythm Agent>:514
udpout= <IP address of LogRhythm Agent>:514
output_type= tcporudp
output_format= leef
Restart the event forwarder service by executing service cb-event-forwarder restart.

After you configure the device, you must also configure LogRhythm according to the instructions provided on the overview page of this guide. Only Global Admins or Restricted Admins with elevated View and Manage privileges can take this action.

The name of the log message source is Syslog - CB Response LEEF. In addition, when configuring this log source:

For Log Message Processing Mode, select MPE Processing Enabled, Event Forwarding Enabled.
For Log Message Processing Engine (MPE) Policy, select LogRhythm Default.
On the Flat File Settings tab, enter the following:
- File Path. <path to log file, including the file name and extension>

Setting	Value
`tcpout=`	`<IP address of LogRhythm Agent>:514`
`udpout=`	`<IP address of LogRhythm Agent>:514`
`output_type=`	`tcp`or`udp`
`output_format=`	`leef`

[data-colorid=lra8u9qab4]{color:#333333} html[data-color-mode=dark] [data-colorid=lra8u9qab4]{color:#cccccc}Prerequisites

Configure CB Response for Data Collection

Prerequisites