Corelight Zeek - Learn more about collecting Corelight Zeek logs using a Syslog Collector applet and content pack integration in Cortex XDR. - Administrator Guide - Cortex XDR - Cortex

Corelight Zeek - Learn more about collecting Corelight Zeek logs using a Syslog Collector applet and content pack integration in Cortex XDR. - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR 5.x Documentation

Product

Cortex XDR

License

XDR + Cloud

Creation date

2025-07-13

Last date published

2026-06-11

Category

Administrator Guide

Abstract

Learn more about collecting Corelight Zeek logs using a Syslog Collector applet and content pack integration in Cortex XDR.

You can configure collecting Corelight Zeek logs using a Broker VM Syslog Collector applet or with a content pack integration:

Corelight Zeek vendor	Description
Syslog Collector applet overview	If you use Corelight Zeek sensors for network monitoring, you can forward network connection logs to Cortex XDR using the Broker VM Syslog Collector applet with TCP as the transport Protocol and a Corelight format.
Link to Syslog Collector applet instructions	Ingest logs from Corelight Zeek
Link to content pack/integration details	The Corelight Zeek content pack provides data normalization capabilities through rules for parsing and modeling network protocol logs that are ingested via a Syslog collector on the Broker VM into Cortex XDR. It includes `Corelight Zeek Modeling Rules` and `Corelight Zeek Parsing Rules`.