Add a Cortex XDR Collector profile, which defines the data that is collected from a Linux collector machine, and defines automatic XDR Collector upgrade settings.
Note
Ingestion of log events larger than 5 MB is not supported.
An XDR Collector Linux profile defines the data that is collected from a Linux collector machine. For Linux, you can configure a Filebeat profile and a Settings profile.
The Filebeat profile uses a configuration file in YAML format. To facilitate the configuration of the YAML file, you can add an out-of-the-box collection templates. The templates save you time, and don't require previous knowledge of configuration file generation. You can edit and combine the provided templates, and you can add your own collection settings to the configuration file.
Use an XDR Collector Linux Filebeat profile to collect file and log data using the Elasticsearch Filebeat default configuration file, called
filebeat.yml
.Cortex XDR supports using Filebeat version 8.8.1 with the operating systems listed in the Elasticsearch Support Matrix that conform with the collector machine operating systems supported by Cortex XDR. Cortex XDR supports the input types and modules available in Elasticsearch Filebeat.
Note
Fileset validation is enforced. You must enable at least one fileset in the module, because filesets are disabled by default.
Cortex XDR collects all logs in either an uncompressed JSON or text format. Compressed files, such as the gzip format, are not supported.
Cortex XDR supports logs in single line format or multiline format. For more information about handling messages that span multiple lines of text in Elasticsearch Filebeat, see Manage Multiline Messages.
Use an XDR Collector Settings profile to configure automatic upgrade settings for XDR Collector releases.
To map your XDR Collector profile to a collector machine, you must use an XDR Collector policy. After you have created your profile, map it to a new or existing policy.
How to configure XDR Collector profiles
Additional XDR Collector profile management options
As needed, you can return to the XDR Collectors Profiles page to manage your XDR Collectors profiles. To manage a specific profile, right click anywhere in an XDR Collector profile row, and select the desired action:
Option | More details |
---|---|
Edit | Lets you edit the XDR Collector profile |
Save As New | Copies the existing profile with its current settings, so that you can make modifications, and save it as a new profile with a unique name |
Delete | Deletes the XDR Collector profile |
View Collector Policies | Opens a new tab that displays the XDR Collectors Policies page, showing the policies that are currently associated with your XDR Collector profiles |
Copy text to clipboard | Copies the text from a specific field in the row of a XDR Collector profile |
Copy entire row | Copies the text from the entire row of a XDR Collector profile |