Activate the FTP Collector - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR Pro Administrator Guide

Product
Cortex XDR
License
Pro
Creation date
2024-02-26
Last date published
2024-06-20
Category
Administrator Guide
Abstract

Learn more about activating a Broker VM with a FTP Collector applet.

Notice

Ingesting logs and data from external sources requires a Cortex XDR Pro per GB license.

The Broker VM provides a FTP Collector applet that enables you to monitor and collect logs from files and folders via FTP, FTPS, and SFTP directly to your log repository for query and visualization purposes. A maximum file size of 500 MB is supported. After you activate the FTP Collector applet on a Broker VM in your network, you can collect files as datasets (<Vendor>_<Product>_raw) by defining the following.

  • FTP, FTPS, or SFTP (default) connection details with the path to the folder containing the files that you want to monitor and upload to Cortex XDR .

  • Settings related to the list of files to monitor and upload to Cortex XDR , where the log format is either Raw (default), JSON, CSV, TSV, PSV, CEF, LEEF, Corelight, or Cisco. Once the files are uploaded to Cortex XDR , you can define whether in the source directory the files are renamed or deleted.

Danger

Before activating the FTP Collector applet, review and perform the following:

  • Configure the Broker VM.

  • Ensure that the user permissions for the FTP, SFTP, or FTPS include the ability to rename and delete files in the folder that you want to configure collection.

  • When setting up an FTPS Collector with a server using a Self-signed certificate, you must upload the certificate first to the Broker VM as a Trusted CA certificate.

  1. Select SettingsConfigurationsData BrokerBroker VMs.

  2. In either the Brokers tab or the Clusters tab, locate your Broker VM.

  3. You can either right-click the Broker VM and select Add AppFTP Collector, or in the APPS column, left-click AddFTP Collector.

  4. Configure the FTP Collector settings.

  5. (Optional) Add Connection to define another FTP connection for collecting logs from files and folders via FTP, FTPS, or SFTP.

  6. (Optional) Other available options.

    As needed, you can return to your FTP Collector settings to manage your connections. Here are the actions available to you.

    • Edit the connection name by hovering over the default Collection name, and selecting the edit icon to edit the text.

    • Disable/Enable a connection by hovering over the top area of the connection section, on the opposite side of the connection name, and selecting the applicable button.

    • Delete a connection by hovering over the top area of the connection section, on the opposite side of the connection name, and selecting the delete icon. You can only delete a connection when you have more than one connection configured. Otherwise, this icon is not displayed.

  7. Activate the FTP Collector applet.

    After a successful activation, the APPS field displays FTP with a green dot indicating a successful connection.

  8. (Optional) To view metrics about the FTP Collector, left-click the FTP connection in the APPS field for your Broker VM.

    Cortex XDR displays Resources, including the amount of CPU, Memory, and Disk space the applet is using.

  9. Manage the FTP Collector.

    After you activate the FTP Collector, you can make additional changes as needed. To modify a configuration, left-click the FTP connection in the APPS column to display the FTP Collector settings, and select:

    • Configure to redefine the FTP Collector configurations.

    • Deactivate to disable the FTP Collector.

    You can also Ingest FTP Files as Datasets.