I am new to Elastic Security and currently using an Elastic Cloud deployment for testing purposes, as my company is considering adopting it.
We aim to forward alerts and audit logs from our Carbon Black Cloud to our Elastic deployment. However, I am encountering issues with the "VMware Carbon Black Cloud" integration version 2.8.0 in Elastic Security.
Understanding of Integration Methods:
Based on my research, there are three methods to integrate Carbon Black Cloud with Elastic Security:
Collect Carbon Black Cloud logs via API using HTTPJSON [Legacy].
Collect Carbon Black Cloud logs via API using CEL [Beta].
Collect Carbon Black Cloud logs via AWS S3 or AWS SQS.
Problem:
I attempted both methods 1 and 2 using the API ID and API Secret obtained from Carbon Black. While the API keys work when tested with curl, no data is received in Elastic after configuring the integration.
Questions:
Is AWS S3 required for option 2 (logs via API using CEL), or is it not necessary based on the documentation?
Is it necessary to install the Elastic Agent on all devices connected to the Carbon Black Cloud, or can the integration work without deploying the Elastic Agent?
What might be causing this issue? I have tested with two different deployments and encountered the same problem in both cases.
Any guidance or insights would be greatly appreciated.
I am happy you are considering adopting the solution for further analytics on your Carbon Black logs and alerts.
To answer your questions directly.
Is AWS S3 required for option 2 (logs via API using CEL), or is it not necessary based on the documentation?
S3 is not required; you should be able to ingest directly using HTTPJSON or CEL. Of these two, we recommend using CEL as it supports the most recent Carbon Black APIs.
Getting CEL working is the ideal first step and may be enough for your requirements.
After you get CEL working, if you want to investigate S3 as a higher throughput ingest mechanism. The Search Lab team has written an excellent blog here
Is it necessary to install the Elastic Agent on all devices connected to the Carbon Black Cloud, or can the integration work without deploying the Elastic Agent?
You do not need to install Agent on all your connected devices; however, you will need at least one instance of Elatic Agent deployed on a host with network access to the Carbon Black API server.
What might be causing this issue? I have tested with two different deployments and encountered the same problem in both cases.
If you have not deployed an Agent, this is almost certainly your issue.
Our teams are working to support Agentless integrations; however, current support is limited to the CSPM integration. We plan to roll this out to a broader set of integrations over time.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.