Ingest Logs from a Syslog Receiver - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR Pro Administrator Guide

Product
Cortex XDR
License
Pro
Creation date
2024-07-16
Last date published
2024-11-07
Category
Administrator Guide
Retire_Doc
Retiring
Link_to_new_Doc
/r/Cortex-XDR/Cortex-XDR-Documentation
Abstract

To extend visibility, Cortex XDR can receive Syslog from additional vendors that use CEF or LEEF formatted over Syslog (TLS not supported).

Notice

Ingesting logs and data requires a Cortex XDR Pro per GB license.

Cortex XDR can receive Syslog from a variety of supported vendors (see External Data Ingestion Vendor Support). In addition, Cortex XDR can receive Syslog from additional vendors that use CEF, LEEF, CISCO, CORELIGHT, or RAW formatted over Syslog.

After Cortex XDR begins receiving logs from the third-party source, Cortex XDR automatically parses the logs in CEF, LEEF, CISCO, CORELIGHT, or RAW format and creates a dataset with the name <vendor>_<product>_raw. You can then use XQL Search queries to view logs and create new IOC, BIOC, and Correlation Rules.

To receive Syslog from an external source:

  1. Set up your Syslog receiver to forward logs.

  2. Activate the Syslog Collector applet on a Broker VM within your network.

  3. Use the XQL Search to search your logs.