Ingest Logs from a Syslog Receiver - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR Pro Administrator Guide

Cortex XDR
Creation date
Last date published
Administrator Guide


Ingesting logs and data requires a Cortex XDR Pro per GB license.

Cortex XDR can receive Syslog from a variety of supported vendors (see External Data Ingestion Vendor Support). In addition, Cortex XDR can receive Syslog from additional vendors that use CEF, LEEF, CISCO, CORELIGHT, or RAW formatted over Syslog (TLS not supported).

After Cortex XDR begins receiving logs from the third-party source, Cortex XDR automatically parses the logs in CEF, LEEF, CISCO, CORELIGHT, or RAW format and creates a dataset with the name <vendor>_<product>_raw. You can then use XQL Search queries to view logs and create new IOC, BIOC, and Correlation Rules.

To receive Syslog from an external source:

  1. Set up your Syslog receiver to forward logs.

  2. Activate the Syslog Collector applet on a Broker VM within your network.

  3. Use the XQL Search to search your logs.