Verifying Collector Connectivity - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Administrator Guide

Product
Cortex XSIAM
Creation date
2024-02-26
Last date published
2024-04-16
Category
Administrator Guide
Abstract

Verify collector connectivity and troubleshoot collector errors.

You can verify the connectivity status of a collector instance on the Data Sources page. Instances are grouped by integration, and a status icon shows a summary of instance statuses for each integration. Expand the integration section to see the status of each individual instance, and hover over the status icons to see details about warning or error statuses.

Troubleshooting collector errors
Where can I see if I have a connectivity error on a collector instance?

On the Data Sources page, instances in error status display an error icon. Hover over the error icon next to the instance name to see the error message as received from the API.

Where can I trace the connectivity changes of a collector instance?

Each status change of an instance is logged in the collection_auditing dataset. Querying this dataset can help you see all the connectivity changes of an instance over time, the escalation or recovery of the connectivity status, and the error, warning, and informational messages related to status changes.

This example searches for errors on Strata IOT integrations:

dataset = collection_auditing 
|filter classification = "Error" and collector_type = "STRATA_IOT"
How can I set up collection alerts for collector errors?

Cortex XSIAM creates a collection alert each time an instance displays an error status. You can see a log of all collection alerts on the Data Ingestion Health page. For more information, see Viewing ingestion and collection alerts.

How can I set up notifications for collection alerts?

Cortex XSIAM Data Ingestion Monitoring adds a notification to the Notifications Center when a collection alert occurs.

Note