Integrate a Syslog Receiver - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR Prevent Administrator Guide

Product
Cortex XDR
License
Prevent
Creation date
2024-07-16
Last date published
2024-12-04
Category
Administrator Guide
Retire_Doc
Retiring
Link_to_new_Doc
/r/Cortex-XDR/Cortex-XDR-Documentation
Abstract

If you want to send Cortex XDR notifications to a Syslog receiver, you can set up log forwarding to the receiver.

To send Cortex XDR notifications to your Syslog server, you need to first define the settings for the Syslog server. Once this is completed, you can then configure notification forwarding.

  1. Before you define the Syslog settings, enable access to the following Cortex XDR IP addresses for your deployment region in your firewall configurations:

    Region

    Log Forwarding IP Addresses

    United States - Americas (US)

    • 35.232.87.9

    • 35.224.66.220

    Germany (DE)

    • 35.234.95.96

    • 35.246.192.146

    Netherlands - Europe (EU)

    • 34.90.202.186

    • 34.90.105.250

    Canada (CA)

    • 35.203.54.204

    • 35.203.52.255

    United Kingdom (UK)

    • 34.105.227.105

    • 34.105.149.197

    Singapore (SG)

    • 35.240.192.37

    • 34.87.125.227

    Japan (JP)

    • 34.84.88.183

    • 35.243.76.189

    Australia (AU)

    • 35.189.38.167

    • 34.87.219.39

    United States - Government

    • 104.198.222.185

    • 35.239.59.210

    India (IN)

    • 34.93.247.41

    • 34.93.183.131

    Switzerland (CH)

    • 34.65.228.95

    • 34.65.74.83

    Warsaw (PL)

    • 34.118.45.145

    • 34.118.126.170

    Taiwan (TW)

    • 35.234.2.208

    • 35.185.171.91

    Qatar (QT)

    • 34.18.48.182

    • 34.18.43.40

    France (FA)

    • 34.163.100.253

    • 34.155.72.149

    Israel (IL)

    • 34.165.194.4

    • 34.165.101.105

    Saudi Arabia (SA)

    • 34.166.50.215

    • 34.166.55.72

    Indonesia (ID)

    • 34.101.248.99

    • 34.101.176.232

    Spain (ES)

    • 34.175.83.90

    • 34.175.230.150

  2. Select SettingsConfigurationsIntegrationsExternal Applications.

  3. In Syslog Servers, add a + New Server.

  4. Define the Syslog server parameters:

    • Unique name for the server profile.

    • Destination—IP address or fully qualified domain name (FQDN) of the Syslog server.

    • Port—The port number on which to send Syslog messages.

    • Choose one of the syslog standard values. The value maps to how your syslog server uses the facility field to manage messages. For details on the facility field, see RFC 5424.

    • Protocol—Select a method of communication with the Syslog server:

      • TCP—No validation is made on the connection with the Syslog server. However, if an error occurred with the domain used to make the connection, the Test connection will fail.

      • UDP—No error checking, error correction, or acknowledgment. No validation is done for the connection or when sending data.

      • TCP + SSLCortex XDR validates the syslog server certificate and uses the certificate signature and public key to encrypt the data sent over the connection.

    • Certificate—The communication between Cortex XDR and the Syslog destination can use TLS. In this case, upon connection, Cortex XDR validates that the Syslog receiver has a certificate signed by either a trusted root CA or a self-signed certificate. You may need to merge the Root and Intermediate certificate if you receive a certificate error when using a public certificate.

      Note

      Up to TLS 1.3 is supported.

      If your Syslog receiver uses a self-signed CA, Browse and upload your self-signed Syslog receiver CA.

      Note

      Make sure the self-signed CA includes your public key.

      If you only use a trusted root CA leave the Certificate field empty.

    • Ignore Certificate ErrorCortex XDR does not recommend, but you can choose to select this option to ignore certificate errors if they occur. This will forward alerts and logs even if the certificate contains errors.

  5. Test the parameters to ensure a valid connection and Create when ready.

    You can define up to five Syslog servers. Upon success, the table displays the Syslog servers and their status.

  6. (Optional) Manage your Syslog server connection.

    In the Syslog Servers table

    • Locate your Syslog server and right-click to Send text message to test the connection.

      Cortex XDR sends a message to the defined Syslog server which you can check to see if the test message indeed arrived.

      If the message doesn’t arrive, Cortex XDR displays an error. View the error details and suggested solutions in Syslog Server Test Message Errors.

    • Locate the Status field.

      The Status field displays a Valid or Invalid TCP connection. Cortex XDR tests connection with the Syslog server every 10min. If no connection is found after 1 hour, Cortex XDR send a notice to the notification center.

    Note

    If you find the Syslog data limited, Cortex XDR recommends running the Get Alert API for complete alert data.

  7. Configure Notification Forwarding.

    After you integrate with your Syslog receiver, you can configure your forwarding settings.