Define syslog settings and then configure notification forwarding to receive notifications about alerts and reports.
A syslog receiver can be a physical or virtual server, a SaaS solution, or any service that accepts syslog messages.
To send Cortex XSIAM notifications to your syslog receiver, you first need to define the settings for the syslog receiver. Once this is complete, you can configure notification forwarding.
Before you begin, enable access to the following Cortex XSIAM IP addresses for your region in your firewall.
Select
→ → → .In Syslog Servers, click + New Server.
Define the following parameters:
Parameter
Description
Name
Unique name for the server profile.
Destination
IP address or fully qualified domain name (FQDN) of the syslog receiver.
Port
Port number on which to send syslog messages.
Facility
Select one of the syslog standard values. The value maps to how your syslog server uses the facility field to manage messages. For details on the facility field, see RFC 5424.
Protocol
Method of communication with the syslog receiver:
TCP: No validation is made on the connection with the syslog receiver. However, if an error occurred with the domain used to make the connection, the Test connection will fail.
UDP: No error checking, error correction, or acknowledgment. No validation is done for the connection or when sending data.
TCP + SSL: Cortex XSIAM validates the syslog receiver certificate and uses the certificate signature and public key to encrypt the data sent over the connection.
Certificate
The communication between Cortex XSIAM and the syslog destination can use TLS. In this case, upon connection, Cortex XSIAM validates that the syslog receiver has a certificate signed by either a trusted root CA or a self-signed certificate. You may need to merge the Root and Intermediate certificate if you receive a certificate error when using a public certificate.
If your syslog receiver uses a self-signed CA, upload your self-signed syslog receiver CA. If you only use a trusted root CA leave the certificate field empty.
Note
Up to TLS 1.3 is supported.
Make sure the self-signed CA includes your public key.
You can ignore certificate errors. For security reasons, this is not recommended. If you choose this option, logs will be forwarded even if the certificate contains errors.
Test the parameters to ensure a valid connection, and click Create when ready.
You can define up to five syslog receivers. Upon success, the table displays the syslog servers and their status.
After you integrate with your syslog receiver, configure your forwarding settings. For more information see, Configure notification forwarding.