Abstract
Learn more about activating a Broker VM with a FTP Collector applet.
Notice
Ingesting logs and data from external sources requires a Cortex XDR Pro per GB license.
The Broker VM provides a FTP Collector applet that enables you to monitor and collect logs from files and folders via FTP, FTPS, and SFTP directly to your log repository for query and visualization purposes. A maximum file size of 500 MB is supported. After you activate the FTP Collector applet on a Broker VM in your network, you can collect files as datasets (<Vendor>_<Product>_raw
) by defining the following.
FTP, FTPS, or SFTP (default) connection details with the path to the folder containing the files that you want to monitor and upload to Cortex XDR .
Settings related to the list of files to monitor and upload to Cortex XDR , where the log format is either Raw (default), JSON, CSV, TSV, PSV, CEF, LEEF, Corelight, or Cisco. Once the files are uploaded to Cortex XDR , you can define whether in the source directory the files are renamed or deleted.
Danger
Before activating the FTP Collector applet, review and perform the following:
Set up and configure Broker VM.
Ensure that the user permissions for the FTP, SFTP, or FTPS include the ability to rename and delete files in the folder that you want to configure collection.
When setting up an FTPS Collector with a server using a Self-signed certificate, you must upload the certificate first to the Broker VM as a Trusted CA certificate.
Select → → → .
Do one of the following:
On the Brokers tab, find the Broker VM, and in the APPS column, left-click → .
On the Clusters tab, find the Broker VM, and in the APPS column, left-click → .
Configure the FTP Collector settings.
(Optional) Click Add Connection to define another FTP connection for collecting logs from files and folders via FTP, FTPS, or SFTP.
(Optional) Other available options.
As needed, you can return to your FTP Collector settings to manage your connections. Here are the actions available to you:
Edit the connection name by hovering over the default Collection name, and selecting the edit icon to edit the text.
Disable/Enable a connection by hovering over the top area of the connection section, on the opposite side of the connection name, and selecting the applicable button.
Delete a connection by hovering over the top area of the connection section, on the opposite side of the connection name, and selecting the delete icon. You can only delete a connection when you have more than one connection configured. Otherwise, this icon is not displayed.
Activate the FTP Collector applet.
After a successful activation, the APPS field displays FTP with a green dot indicating a successful connection.
(Optional) To view metrics about the FTP Collector, left-click the FTP connection in the APPS field for your Broker VM.
Cortex XDR displays Resources, including the amount of CPU, Memory, and Disk space the applet is using.
Manage the FTP Collector.
After you activate the FTP Collector, you can make additional changes as needed. To modify a configuration, left-click the FTP connection in the APPS column to display the FTP Collector settings, and select: