Activate Syslog Collector - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Documentation

Product
Cortex XSIAM
Creation date
2024-03-06
Last date published
2024-10-10
Category
Administrator Guide
Abstract

Learn how to set up and activate the Syslog Collector applet on a Broker VM within your network.

To receive Syslog data from an external source, you must first set up the Syslog Collector applet on a Broker VM within your network. The Syslog Collector supports a log ingestion rate of 90,000 logs per second (lps) with the recommended Broker VM setup.

To increase the log ingestion rate, you can add additional CPUs to the Broker VM. The Syslog Collector listens for logs on specific ports and from any or specific IP addresses.

Perform the following procedures in the order listed below.

  1. Select SettingsConfigurationsData BrokerBroker VMs.

  2. Do one of the following:

    • On the Brokers tab, find the Broker VM, and in the APPS column, left-click AddSyslog Collector.

    • On the Clusters tab, find the Broker VM, and in the APPS column, left-click AddSyslog Collector.

Cortex XSIAM supports multiple sources over a single port on a single Syslog Collector. The following options are available:

  • Edit the Optional Settings of the default PORT/PROTOCOL: 514/UDP. See Task 3.

    Note

    Once configured, you cannot change the Port/PROTOCOL. If you don’t want to use a data source, ensure to remove the data source from the list as explained in Task 5.

  • Add a new Syslog Collector data source. See Task 4.

  1. Right-click the 514/UDP PORT/PROTOCOL, and select Edit.

  2. Configure these Optional Settings:

    Field

    Description

    Format

    Select the Syslog format you want to send to the UDP 514 protocol and port on the Syslog Collector: Auto-Detect (default), CEF, LEEF, CISCO, CORELIGHT, or RAW.

    Note

    • The Vendor and Product defaults to Auto-Detect when the Log Format is set to CEF or LEEF.

    • For a Log Format set to CEF or LEEF, Cortex XSIAM reads events row by row to look for the Vendor and Product configured in the logs. When the values are populated in the event log row, Cortex XSIAM uses these values even if you specified a value in the Vendor and Product fields in the Syslog Collector settings. Yet, when the values are blank in the event log row, Cortex XSIAM uses the Vendor and Product that you specified in the Syslog Collector settings. If you did not specify a Vendor or Product in the Syslog Collector settings and the values are blank in the event log row, the values for both fields are set to unknown.

    Vendor and Product

    Specify a particular vendor and product for the Syslog format defined or leave the default Auto-Detect setting.

    Source Network

    Specify the IP address or Classless Inter-Domain Routing (CIDR). If you leave this blank, Cortex XSIAM will allow receipt of logs from any source IP address or CIDR that transmits over the specified protocol and port. When you specify overlapping addresses in the Source Network field in multiple rows, such as 10.0.0.10 in the first row and 10.0.0.0/24 in the second row, the order of the addresses matter. In this example, the IP address 10.0.0.10 is only captured from the first row definition. For more information on prioritizing the order of the syslog formats, see Task 5.

    After each configuration, select blue-arrow.png to save the changes and then Done to update the Syslog Collector with your settings.

  1. Select Add New.

  2. Configure these mandatory General settings:

  3. Configure these Optional Settings:

    Field

    Description

    Format

    Select the Syslog format you want to send to the UDP/514 protocol and port on the Syslog Collector: Auto-Detect (default), CEF, LEEF, CISCO, CORELIGHT, or RAW.

    Vendor and Product

    Enter a particular vendor and product for the Syslog format defined or leave the default Auto-Detect setting.

    Source Network

    Specify the IP address or Classless Inter-Domain Routing (CIDR). If you leave this blank, Cortex XSIAM will allow receipt of logs from any source IP address or CIDR that transmits over the specified protocol and port. When you specify overlapping addresses in the Source Network field in multiple rows, such as 10.0.0.10 in the first row and 10.0.0.0/24 in the second row, the order of the addresses matter. In this example, the IP address 10.0.0.10 is only captured from the first row definition. For more information on prioritizing the order of the syslog formats, see Task 5.

    After each configuration, select blue-arrow.png to save the changes and then Done to update the Syslog Collector with your settings.

  • To remove a Syslog Collector data source, right-click the row after the Port/Protocol entry, and select Remove.

  • To prioritize the order of the Syslog formats listed for the protocols and ports configured, drag and drop the rows to the order you require.

Click Save. After a successful activation, the APPS field displays Syslog with a green dot indicating a successful connection.

To view metrics about the Syslog Collector, left-click the Syslog connection in the APPS field for your Broker VM. Cortex XSIAM displays the following information:

Metric

Description

Connectivity Status

Whether the applet is connected to Cortex XSIAM.

Logs Received and Logs Sent

Number of logs received and sent by the applet per second over the last 24 hours. If the number of incoming logs received is larger than the number of logs sent, it could indicate a connectivity issue.

Resources

Displays the amount of CPU, Memory, and Disk space the applet is using.

After the Syslog Collector has been activated, you can make additional changes to your configuration if needed. To modify a configuration, left-click the Syslog connection in the APPS column to display the Syslog Collector settings, and select:

  • Configure to redefine the Syslog configurations.

  • Deactivate to disable the Syslog Collector.