Cortex Xpanse enables you to forward alerts, management audit logs, and reports to external applications.
To help you stay informed and updated, you can forward Cortex Xpanse alerts, management audit logs, and reports to an external syslog receiver, a Slack channel, or to email accounts.
Log Forwarding Data Types
In Cortex Xpanse, log forwarding includes different data types, which you can receive through different messaging formats.
To ensure you and your colleagues are informed and updated about events in your deployment, you can configure notification forwarding to Email, Slack, or a syslog receiver. The following table displays the data types supported by each notification receiver.
Data Type | Slack | Syslog | |
---|---|---|---|
Alerts | |||
Management Audit Log | — | ||
Reports | — |
Integrate a Syslog Receiver
If you want to send Cortex Xpanse notifications to a Syslog receiver, you can set up log forwarding to the receiver.
To send Cortex Xpanse notifications to your Syslog server, you need to first define the settings for the Syslog server.
Before you define the Syslog settings, enable access to the following Cortex Xpanse IP addresses for your deployment region in your firewall configurations:
Region
Log Forwarding IP Addresses
United States - Americas (US)
35.232.87.9
35.224.66.220
Germany (DE)
35.234.95.96
35.246.192.146
Netherlands - Europe (EU)
34.90.202.186
34.90.105.250
Canada (CA)
35.203.54.204
35.203.52.255
United Kingdom (UK)
34.105.227.105
34.105.149.197
Singapore (SG)
35.240.192.37
34.87.125.227
Japan (JP)
34.84.88.183
35.243.76.189
Australia (AU)
35.189.38.167
34.87.219.39
United States - Government
104.198.222.185
35.239.59.210
India (IN)
34.93.247.41
34.93.183.131
Switzerland (CH)
34.65.228.95
34.65.74.83
Select
→ → → .In Syslog Servers, add a + New Server.
Define the Syslog server parameters:
Unique name for the server profile.
Destination—IP address or fully qualified domain name (FQDN) of the Syslog server.
Port—The port number on which to send Syslog messages.
Choose one of the syslog standard values. The value maps to how your syslog server uses the facility field to manage messages. For details on the facility field, see RFC 5424.
Protocol—Select a method of communication with the Syslog server:
TCP—No validation is made on the connection with the Syslog server. However, if an error occurred with the domain used to make the connection, the Test connection will fail.
UDP—No error checking, error correction, or acknowledgment. No validation is done for the connection or when sending data.
TCP + SSL— Cortex Xpanse validates the syslog server certificate and uses the certificate signature and public key to encrypt the data sent over the connection.
Certificate—The communication between Cortex Xpanse and the Syslog destination can use TLS. In this case, upon connection, Cortex Xpanse validates that the Syslog receiver has a certificate signed by either a trusted root CA or a self-signed certificate. You may need to merge the Root and Intermediate certificate if you receive a certificate error when using a public certificate.
Note
Up to TLS 1.2 is supported.
If your Syslog receiver uses a self signed CA, Browse and upload your self-signed Syslog receiver CA.
Note
Make sure the self-signed CA includes your public key.
If you only use a trusted root CA leave the Certificate field empty.
Ignore Certificate Error— Cortex Xpanse does not recommend, but you can choose to select this option to ignore certificate errors if they occur. This will forward alerts and logs even if the certificate contains errors.
Test the parameters to ensure a valid connection and Create when ready.
You can define up to five Syslog servers. Upon success, the table displays the Syslog servers and their status.
(Optional) Manage your Syslog server connection.
In the Syslog Servers table
Locate your Syslog server and right-click to Send text message to test the connection.
Cortex Xpanse sends a message to the defined Syslog server which you can check to see if the test message indeed arrived.
If the message doesn’t arrive, Cortex Xpanse displays an error. View the error details and suggested solutions in Syslog Server Test Message Errors.
Locate the Status field.
The Status field displays a Valid or Invalid TCP connection. Cortex Xpanse tests connection with the Syslog server every 10min. If no connection is found after 1 hour, Cortex Xpanse send a notice to the notification center.
Note
If you find the Syslog data limited, Cortex Xpanse recommends running the Get Alert API for complete alert data.
Syslog Server Test Message Errors.
After you integrate with your Syslog receiver, you can configure your forwarding settings.
Integrate Slack for Outbound Notifications
Cortex Xpanse enables you to integrate the Slack messaging application for outbound notifications to be received by Slack recipients.
Integrate Expander with your Slack workspace to better manage and highlight your Cortex Xpanse alerts and reports. By creating a Cortex Xpanse Slack channel, you ensure that defined Cortex Xpanse alerts are exposed on laptop and mobile devices using the Slack interface. Unlike email notifications, Slack channels are dedicated to spaces that you can use to contact specific members regarding your Cortex Xpanse alerts.
To configure a Slack notification, you must first install and configure the Cortex Xpanse app on Slack.
From Cortex Xpanse , select → → → .
Select the provided link to install Cortex Xpanse on your Slack workspace.
Note
You are directed to the Slack browser to install the Cortex Xpanse app. You can only use this link to install Cortex Xpanse on Slack. Attempting to install from Slack marketplace will redirect you to Cortex Xpanse documentation.
Click Submit.
Upon successful installation, Cortex Xpanse displays the workspace to which you connected.
Configure Notification Forwarding.
After you integrate with your Slack workspace, you can configure your forwarding settings.
Configure Notification Forwarding
Set up notifications to keep your teams up to date on the audit logs and alerts that matter to them.
With Cortex Xpanse you can set up notifications to keep your teams up to date on the audit log and alerts that matter to them. To set up notifications, you create a forwarding configuration that specifies the log type you want to forward. You can also add filters to your configuration to send notifications that match specific criteria. Notifications can be configured for people or teams who are not Xpanse users.
Note
Cortex Xpanse applies the filter only to future alerts.
Use this workflow to configure notifications for alerts and management audit logs. To receive notifications about reports, see Create a Report from Scratch.
Select
→ → → .+ Add Forwarding Configuration.
Define the configuration Name and Description.
Select the Log Type you want to forward:
Alerts—Send notifications for specific alert types.
Management Audit Logs—Send notifications for audit logs about events related to your Cortex Xpanse management console.
In the Configuration Scope, Filter the type of information you want included in a notification.
For example, set a filter
Severity = High, Resolution Status = New
. Cortex Xpanse sends the alerts or events matching this filter as a notification.(Optional) Define your Email Configuration.
In Email Distribution, add the email addresses to which you want to send email notifications.
Define the Email Grouping Time Frame, in minutes, to specify how often Cortex Xpanse sends notifications. Every 30 alerts aggregated within this time frame are sent together in one notification, sorted according to the severity. To send a notification when one alert is generated, set the time frame to
0
.Choose whether you want Cortex Xpanse to provide an auto-generated subject.
If you previously used the Log Forwarding app and want to continue forwarding logs in the same format, you can Use Legacy Log Format. See Log Format for IOC and BIOC Alerts.
Configure additional forwarding options.
Depending on the notification integrations supported by the Log Type, configure the desired Slack channel or Syslog receiver notification settings.
Note
Before you can select a Slack channel or Syslog receiver you must Integrate Slack for Outbound Notifications and Integrate a Syslog Receiver.
Enter the Slack channel name and select from the list of available channels.
Slack channels are managed independently of Cortex Xpanse in your Slack workspace. After integrating your Slack account with your Cortex Xpanse tenant, Cortex Xpanse displays a list of specific Slack channels associated with the integrated Slack workspace.
Select a Syslog receiver.
Cortex Xpanse displays the list of receivers integrated with your Cortex Xpanse tenant.
Select Done to create the forwarding configuration.
(Optional) To later modify a saved forwarding configuration, right-click the configuration, and Edit, Disable, or Delete it.
Syslog Server Test Message Errors
Learn more about Syslog Server test message errors.
When configuring a syslog message, Cortex Xpanse sends a test message. If a test message cannot be sent, Cortex Xpanse displays an error message to help you troubleshoot. Below are the descriptions and suggested solutions for the error messages.
Error Message | Description | Suggested Solution |
---|---|---|
Host Resolving Failed | The IP address or hostname you provided doesn't exist, or can't be resolved. | Ensure you have the correct IP address or the hostname. |
Configured Local Address | The IP address or hostname you provided is internal and can't be used. | Ensure you have the correct IP address or the hostname. |
Wrong Certificate Format | The certificate you uploaded is in an unexpected format and can't be used. The certificate must be an ASCII string or a bytes-like object. | Re-create the certificate in the correct format, for example: -----BEGIN CERTIFICATE-----MIIDHTCCAgWgAwIBAgIQSwieRyGdh6BNRQyp406bnTANBgkqhkiG9w0BAQsFADAhMR8wHQYDVQQDExZTVVJTLUNoYXJsaWVBbHBoYS1Sb290MB4XDTIwMDQzMDE4MjEzNFoXDTMwMDQzMDE4MzEzNFowITEfMB0GA1UEAxMWU1VSUy1DaGFybGllQWxwaGEtUm9vdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJHH2HR/CzVzm9lOIu6rrtF9opYeIJdtgJR2Le7w4M56lFKIoziAfZD9qR0DqXpAV+42PZC8Oe4ueweD44OKTnaofbOxQvygelvHkFyAj+oz0VppzhmeUXh1Eux96QKB+Q+vSm8FbNlBL2SI8RhceYsWtZe5vBm/zDdV2alO5LJ3rEj9ycG1a7re1wSDQ67NaSrny+C/7IL5utlVspcgjslEiGM7D30uKszpq3CCeV9f7aPHCVZbbFRBxe4cbgZjGvE7Mm1OBbsypMT3z8jmSj7Kz5ui6R8mlqtll5MkIGtvmc1aypJHKrobwcs2ozEmLiVR0F1oJrl+PIZy5MXhBUcCAwEAAaNRME8wCwYDVR0PBAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFIJ1ZhG0dkgwF8OOB/eT4u/9yowaMBAGCSsGAQQBgjcVAQQDAgEAMA0GCSqGSIb3DQEBCwUAA4IBAQBvDQ4Epr0zxQHuyziDtlauddVsrLpckljHc+dCIhBvGMzGEj47Cb0c/eNt6tHrPThyzRxOHd9GBMX4AxLccPNuCZdWIRTgb4SYzDspGEYDK7v/N5+FvpYdWRgB4msUXhHt36ivH450XuY8Slt+qbQWNVU2+xIkMSSA3mUwnK+hz1GwO/Zc2JYOaVZUrW39EuzNePJ+O6BlgMRMRPNGzgT+xSxt316r/QnVA2sk4IXshdGGMG0VcuzBCyeuiCRP5/2QeFthas5EoXbdlB5eK3VzqLtiKyua/kS/hPuKahN9mI8FZ4TNB+nd6+eRQs2nsnbVOFmmOYu5KkGnDOjTzRh4-----END CERTIFICATE----- |
Connection Timed Out | Cortex Xpanse didn’t connect to the syslog server in the expected time. This could be because your firewall blocked the connection or because the configuration of the syslog server caused it to drop the connection. | Check the firewall logs and the connection using WireShark. |
Connection Refused | The syslog server refused the connection. This could be because your firewall blocked the connection or because the configuration of the syslog server caused it to drop the connection. | Check the firewall logs and the connection using WireShark. |
Connection Reset | The connection was reset by the syslog server. This could be because your firewall blocked the connection or because the configuration of the syslog server caused it to drop the connection. | Check the firewall logs and the connection using WireShark. |
Certificate Verification Failed | The uploaded certificate couldn’t be verified for one of the following reasons.
|
|
Connection Terminated Abruptly | The firewall or the syslog server dropped the connection unexpectedly. This could be because the firewall on the customer side limits the number of connections, the configuration on the syslog server drops the connection, or the network is unstable. | Check the firewall logs and the connection using WireShark. |
Host Unreachable | The network configuration is faulty and the connection can't reach the syslog server. | Check the network configuration to make sure that everything is configured correctly like a firewall or a load balancer which may be accidentally directing the connection to a dead server. |
SSL Error | Unknown SSL error. | To investigate the issue, contact support. |
Connection Unavailable | General error. | To investigate the issue, contact support. |