Carbon Black Cloud Beat Collection
This document explains how to initialize Carbon Black Cloud Beat using cloud-to-cloud collection after configuration. It is primarily focused on the alert log to be pulled from the Carbon Black Cloud console. This feature is available only to LRCloud customers.
Prerequisites
Before initializing Carbon Black Cloud Beat, do the following:
- Make sure that the customer is an LRCloud customer and has their environment hosted.
- Check if Open Collector has been installed in the customer's LRCloud environment on a separate instance. If not, an Open Collector instance must be requested via a support case.
- Ensure that the Open Collector log source has been accepted.
Check if you have the Carbon Black Cloud console hostname. You should have received the hostname when you purchased the Carbon Black Cloud platform.
For more information on hostname, see https://developer.carbonblack.com/reference/carbon-black-cloud/authentication/#hostname.- Make sure that you have the Carbon Black Cloud console API Credentials and Organization key. If you do not have the required details, follow the instructions in Configure API Access on Carbon Black Cloud Console.
- Ensure that you have a sensor installed in one of your machines to sync the alerts on the Carbon Black Cloud console. This sensor can be installed using the Sensor option provided under Endpoints in the Carbon Black Cloud console.
Apply the Log Source Virtualization Template
- Log in to the Client Console in Cameyo.
- Click Deployment Manager from the toolbar.
- Click the Log Sources tab.
- Double-click the required Open Collector Log Source (such as, {instance}-opencollector.c.e3-hub-753dd405.internal Open Collector).
The Log Message Source Properties window appears. - Click the Log Source Virtualization tab.
- If not checked, select the Enable Virtualization check box.
- Click Create Virtual Log Sources.
The Create Virtual Log Sources dialog box appears. - In the Virtual Log Sources menu, check the Action check box corresponding to "Syslog - Open Collector - Carbon Black Cloud" and "Syslog - Open Collector - CarbonBlackBeat Heartbeat" log source types.
- Click Save.
The Virtual Log Source(s) created prompt appears. - Click Ok.
- Click Apply.
- Click Ok.
The new Log Sources will appear in the grid as children of your parent log source. - Click the System Monitors tab.
- Select the Action check box corresponding to the (customerid)-dpawc agent.
- Right-click the selection, click Actions and then click Service Restart.
Initialize the Beat
- Log in to the Web Console as a Restricted Administrator User.
- On the top navigation bar, click the Administration icon and select Cloud Log Collection.
- At the top of the Cloud Log Collection page, click New Log Source.
The New cloud log collection dialog box appears. - Select the CarbonBlack Beat - Open Collector tile.
The Add CarbonBlack Beat Log Source window appears. Enter the following details:
Setting
Description
Name Enter the name for this log source. Description (Optional) Enter a description for this log source. Hostname CarbonBlack cloud console hostname. Do not use "https://" from the original hostname. API ID Enter the Carbon Black Cloud Platform API ID (for example, 12345678). Secret Key Enter the Carbon Black Cloud Platform API Secret Key (for example, ABCDEFGHIJKLMNOPQRSTUVWX). Org Key Enter the Carbon Black Cloud Platform Organization Key (for example, 1ABCD33E).
Click Save.
- Log in to the Client Console in Cameyo.
- Click Deployment Manager from the toolbar.
- Click the System Monitors tab.
- Select the Action check box corresponding to the dpwac agent.
- Right-click the selection, click Actions and then click Service Restart.
A new log source is created with the provided information based on the virtualized log source that was already created. Collection should start automatically in few minutes.
The Open Collector hosts the log sources. It is recommended to create a new host entity and move the log source to the new host which is done in the log source properties screen and not from the log source grid.
For security, the values entered are encrypted using LRCrypt.
Default Config Values for the Carbon Black Cloud Beat
Setting | Field Name | Default Values |
---|---|---|
1 | heartbeatinterval | 60s |
2 | heartbeatdisabled | false |
3 | period | 2s |
4 | numbackdaysData | 7 Number of back days must be a non-negative number. Only 180 days of backlog data is supported. Therefore, the range for this value is 1-180 days. |
5 | limit | 1000
Supported limit range is 100-1000.
|