Install the XDR Collector installation package for Linux - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Documentation

Product
Cortex XSIAM
Creation date
2024-03-06
Last date published
2024-10-13
Category
Administrator Guide
Abstract

Learn how to install the Cortex XDR Collector on Linux collector machines.

You can install the XDR Collector using three available packages for a Linux installation: Linux RPM, Linux DEB, and Linux SH. You can install the XDR Collector package on any Linux server, including a physical or virtual machine, and as temporary sessions.

You can install XDR Collectors in any Linux server period, whether its a physical or virtual machine. Temporary sessions can be in either of them.

Note

We recommend that you perform a Linux RPM or Linux DEB installation.

Before completing this task, ensure that you create and download a Cortex XDR Collector installation package, and then upload these installation files to your Linux environment.

To install the XDR Collectors installation package for Linux.

  1. Log on to the Linux server.

    For example:

    user@local ~
    						$
    						ssh root@ubuntu.example.com
    						Welcome to Ubuntu 16.04.3 LTS (GNU/Linux 4.4.0-1041-aws x86_64)
    
    						* Documentation:  https://help.ubuntu.com
    						* Management:     https://landscape.canonical.com
    						* Support:        https://ubuntu.com/advantage
    
    						Get cloud support with Ubuntu Advantage Cloud Guest:
    						http://www.ubuntu.com/business/services/cloud
    
    						0 packages can be updated.
    						0 updates are security updates.
    
    
    						Last login: Tue Aug 26 22:14:15 2021 from 192.168.1.100
    					
  2. Extract the installation files you uploaded using one of the following commands, which is dependent on the Linux package you downloaded:

    Linux Package

    Extract Command

    Linux RPM

    tar xvf <installation_package_name>.rpm

    Linux DEB

    tar xvf <installation_package_name>.deb

    Linux SH

    tar xvf <installation_package_name>.sh

  3. Create a directory and copy the collector.conf installation file to the /etc/panw/ directory.

    sudo mkdir -p /etc/panw
    sudo cp ./collector.conf /etc/panw/
  4. Install the XDR Collectors software.

    You can install the XDR Collectors on the collector machine manually using the shell installer or using the Linux package manager for .rpm and .deb installers:

    Important

    When performing a XDR Collector installation or upgrade in Linux using a shell installer, the  /tmp folder cannot be marked as noexec. Otherwise, the installation or upgrade fails. As a workaround, before the installation or upgrade, use the following command:

    mount -o remount,exec /tmp

    Note

    If the XDR Collector does not connect to Cortex XSIAM, verify your Internet connection on the collector machine. If the XDR Collector still does not connect, verify the installation package has not been removed from the Cortex XSIAM management console.

Additional options are available to help you customize your installation if needed. The following table describes common options and parameters.

If you are using rpm or deb installers, you must also add these parameters to the /etc/panw/collector.conf file prior to installation.

Option

Description

--proxy-list ”<proxyserver>:<port>”

Proxy communication

Configure the XDR Collector to communicate through an intermediary such as a proxy.

To enable the XDR Collector to direct communication to an intermediary, you use this installation option to assign the IP address and port number you want the XDR Collector to use. You can also configure the proxy by entering the FQDN and port number. When you enter the FQDN, you can use both lowercase and uppercase letters. Avoid using special characters or spaces.

Use commas to separate multiple addresses. For example:

--proxy-list "My.Network.Name:808, 10.196.20.244:8080"

After the initial installation, you can change the proxy settings from using the configuration XML.

Note

The XDR Collector does not support proxy communication in environments where proxy authentication is required.

--data-path <directory path>

Directory path

The path for persistence, content, Filebeat application data, and transaction data.

--data–path=/tmp/xdrLog