Activate the Syslog Collector - Learn how to set up and activate the Syslog Collector applet on a Broker VM within your network. - Administrator Guide - Cortex XDR - Cortex

Activate the Syslog Collector - Learn how to set up and activate the Syslog Collector applet on a Broker VM within your network. - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR Pro Administrator Guide

Product

Cortex XDR

License

Pro

Creation date

2024-07-16

Last date published

2024-12-12

Notice

Ingesting Logs and Data from external sources requires a Cortex XDR Pro per GB license.

To receive Syslog data from an external source, you must first set up the Syslog Collector applet on a Broker VM within your network. The Syslog Collector supports a log ingestion rate of 90,000 logs per second (lps) with the recommended Broker VM setup.

To increase the log ingestion rate, you can add additional CPUs to the Broker VM. The Syslog Collector listens for logs on specific ports and from any or specific IP addresses.

Danger

Configure the Broker VM

Perform the following procedures in the order listed below.

Task 1. Add a Syslog Collector

Select Settings → Configurations → Data Broker → Broker VMs.
In either the Brokers tab or the Clusters tab, locate your Broker VM.
You can either right-click the Broker VM and select Add App → Syslog Collector, or in the APPS column, left-click Add → Syslog Collector.

Task 2. Configure the Syslog Collector

Cortex XDR supports multiple sources over a single port on a single Syslog Collector. The following options are available:

Edit the Optional Settings of the default PORT/PROTOCOL: 514/UDP. See Task 3.
Note
Once configured, you cannot change the Port/PROTOCOL. If you don’t want to use a data source, ensure to remove the data source from the list as explained in Task 5.
Add a new Syslog Collector data source. See Task 4.

Task 3. Edit the default 514/UDP Syslog Collector data source

Right-click the 514/UDP PORT/PROTOCOL, and select Edit.
Configure these Optional Settings:
Format
Select the Syslog format you want to send to the UDP 514 protocol and port on the Syslog Collector: Auto-Detect (default), CEF, LEEF, CISCO, CORELIGHT, or RAW.
Note
The Vendor and Product defaults to Auto-Detect when the Log Format is set to CEF or LEEF.
For a Log Format set to CEF or LEEF, Cortex XDR reads events row by row to look for the Vendor and Product configured in the logs. When the values are populated in the event log row, Cortex XDR uses these values even if you specified a value in the Vendor and Product fields in the Syslog Collector settings. Yet, when the values are blank in the event log row, Cortex XDR uses the Vendor and Product that you specified in the Syslog Collector settings. If you did not specify a Vendor or Product in the Syslog Collector settings and the values are blank in the event log row, the values for both fields are set to unknown.
Vendor and Product
Specify a particular vendor and product for the Syslog format defined or leave the default Auto-Detect setting.
Source Network
Specify the IP address or Classless Inter-Domain Routing (CIDR). If you leave this blank, Cortex XDR will allow receipt of logs from any source IP address or CIDR that transmits over the specified protocol and port. When you specify overlapping addresses in the Source Network field in multiple rows, such as 10.0.0.10 in the first row and 10.0.0.0/24 in the second row, the order of the addresses matter. In this example, the IP address 10.0.0.10 is only captured from the first row definition. For more information on prioritizing the order of the syslog formats, see Task 5.
After each configuration, select to save the changes and then Done to update the Syslog Collector with your settings.

Task 4. Add a new Syslog Collector data source

Select Add New.
Configure these mandatory General settings:
Protocol
Choose a protocol over which the Syslog will be sent: UDP, TCP, or Secure TCP.
Secure TCP
When configuring the Protocol as Secure TCP, these additional General Settings are available:
Server Certificate: Browse to your server certificate to configure server authentication.
Private Key: Browse to your private key for the server certificate.
Optional CA Certificate: (Optional) Browse to your CA certificate for mutual authentication.
The log forwarder (for example, a firewall) authenticates the Broker VM by default. The Broker VM does not authenticate the log forwarder by default, but you can use this option to set set up such authentication. If you use this option, ensure that you have a client certificate on the log forwarding side that matches the CA certificate on the Broker VM side.
Minimal TLS Version: Select either 1.0 or 1.2 (default) as the minimum TLS version allowed.
Note
The server certificate and private key pair is expected in a PEM format.
Cortex XDR will notify you when your certificates are about to expire.
Port
Choose a port on which the Syslog Collector will listen for logs.
Note
Because some port numbers are reserved by Cortex XDR , you must choose a port number that is not:
In the range of 0-1024 (except for 514)
In the range of 63000-65000
Values of 4369, 5671, 5672, 5986, 6379, 8000, 8888, 9100, 15672, or 28672
Configure these Optional Settings:
Format
Select the Syslog format you want to send to the UDP/514 protocol and port on the Syslog Collector: Auto-Detect (default), CEF, LEEF, CISCO, CORELIGHT, or RAW.
Vendor and Product
Enter a particular vendor and product for the Syslog format defined or leave the default Auto-Detect setting.
Source Network
Specify the IP address or Classless Inter-Domain Routing (CIDR). If you leave this blank, Cortex XDR will allow receipt of logs from any source IP address or CIDR that transmits over the specified protocol and port. When you specify overlapping addresses in the Source Network field in multiple rows, such as 10.0.0.10 in the first row and 10.0.0.0/24 in the second row, the order of the addresses matter. In this example, the IP address 10.0.0.10 is only captured from the first row definition. For more information on prioritizing the order of the syslog formats, see Task 5.
After each configuration, select to save the changes and then Done to update the Syslog Collector with your settings.

Task 5. Make additional changes to the Syslog Collector data sources configured

To remove a Syslog Collector data source, right-click the row after the Port/Protocol entry, and select Remove.
To prioritize the order of the Syslog formats listed for the protocols and ports configured, drag and drop the rows to the order you require.

Task 6. Save the Syslog Collector settings

Click Save. After a successful activation, the APPS field displays Syslog with a green dot indicating a successful connection.

Task 7. (optional) View metrics about the Syslog Collector

To view metrics about the Syslog Collector, left-click the Syslog connection in the APPS field for your Broker VM. Cortex XDR displays the following information:

Step 8. Manage the Syslog Collector

After the Syslog Collector has been activated, you can make additional changes to your configuration if needed. To modify a configuration, left-click the Syslog connection in the APPS column to display the Syslog Collector settings, and select:

Configure to redefine the Syslog configurations.
Deactivate to disable the Syslog Collector.

Notice

Danger

Task 1. Add a Syslog Collector

Task 2. Configure the Syslog Collector

Note

Task 3. Edit the default 514/UDP Syslog Collector data source

Note

Task 4. Add a new Syslog Collector data source

Note

Note

Task 5. Make additional changes to the Syslog Collector data sources configured

Task 6. Save the Syslog Collector settings

Task 7. (optional) View metrics about the Syslog Collector

Step 8. Manage the Syslog Collector