Integrate a syslog receiver - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Documentation

Product
Cortex XSIAM
Creation date
2024-03-06
Last date published
2024-12-02
Category
Administrator Guide
Abstract

Define syslog settings and then configure notification forwarding to receive notifications about alerts and reports.

A syslog receiver can be a physical or virtual server, a SaaS solution, or any service that accepts syslog messages.

To send Cortex XSIAM notifications to your syslog receiver, you first need to define the settings for the syslog receiver. Once this is complete, you can configure notification forwarding.

How to send logs to a syslog receiver

Before you begin, enable access to the following Cortex XSIAM IP addresses for your region in your firewall.

  1. Select SettingsConfigurationsIntegrationsExternal Applications.

  2. In Syslog Servers, click + New Server.

  3. Define the following parameters:

    Parameter

    Description

    Name

    Unique name for the server profile.

    Destination

    IP address or fully qualified domain name (FQDN) of the syslog receiver.

    Port

    Port number on which to send syslog messages.

    Facility

    Select one of the syslog standard values. The value maps to how your syslog server uses the facility field to manage messages. For details on the facility field, see RFC 5424.

    Protocol

    Method of communication with the syslog receiver:

    • TCP: No validation is made on the connection with the syslog receiver. However, if an error occurred with the domain used to make the connection, the Test connection will fail.

    • UDP: No error checking, error correction, or acknowledgment. No validation is done for the connection or when sending data.

    • TCP + SSL: Cortex XSIAM validates the syslog receiver certificate and uses the certificate signature and public key to encrypt the data sent over the connection.

    Certificate

    The communication between Cortex XSIAM and the syslog destination can use TLS. In this case, upon connection, Cortex XSIAM validates that the syslog receiver has a certificate signed by either a trusted root CA or a self-signed certificate. You may need to merge the Root and Intermediate certificate if you receive a certificate error when using a public certificate.

    If your syslog receiver uses a self-signed CA, upload your self-signed syslog receiver CA. If you only use a trusted root CA leave the certificate field empty.

    Note

    • Up to TLS 1.3 is supported.

    • Make sure the self-signed CA includes your public key.

    You can ignore certificate errors. For security reasons, this is not recommended. If you choose this option, logs will be forwarded even if the certificate contains errors.

  4. Test the parameters to ensure a valid connection, and click Create when ready.

    You can define up to five syslog receivers. Upon success, the table displays the syslog servers and their status.

What to do next

After you integrate with your syslog receiver, configure your forwarding settings. For more information see, Configure notification forwarding.

When configuring a syslog message, Cortex XSIAM sends a test message. If a test message cannot be sent, Cortex XSIAM displays an error message to help you troubleshoot.

The following table includes descriptions and suggested solutions for the error messages:

Error Message

Description

Suggested Solution

Host Resolving Failed

The IP address or hostname you provided doesn't exist, or can't be resolved.

Ensure you have the correct IP address or the hostname.

Configured Local Address

The IP address or hostname you provided is internal and can't be used.

Ensure you have the correct IP address or the hostname.

Wrong Certificate Format

The certificate you uploaded is in an unexpected format and can't be used. The certificate must be an ASCII string or a bytes-like object.

Re-create the certificate in the correct format, for example:

-----BEGIN CERTIFICATE-----MIIDHTCCAgWgAwIBAgIQSwieRyGdh6BNRQyp406bnTANBgkqhkiG9w0BAQsFADAhMR8wHQYDVQQDExZTVVJTLUNoYXJsaWVBbHBoYS1Sb290MB4XDTIwMDQzMDE4MjEzNFoXDTMwMDQzMDE4MzEzNFowITEfMB0GA1UEAxMWU1VSUy1DaGFybGllQWxwaGEtUm9vdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJHH2HR/CzVzm9lOIu6rrtF9opYeIJdtgJR2Le7w4M56lFKIoziAfZD9qR0DqXpAV+42PZC8Oe4ueweD44OKTnaofbOxQvygelvHkFyAj+oz0VppzhmeUXh1Eux96QKB+Q+vSm8FbNlBL2SI8RhceYsWtZe5vBm/zDdV2alO5LJ3rEj9ycG1a7re1wSDQ67NaSrny+C/7IL5utlVspcgjslEiGM7D30uKszpq3CCeV9f7aPHCVZbbFRBxe4cbgZjGvE7Mm1OBbsypMT3z8jmSj7Kz5ui6R8mlqtll5MkIGtvmc1aypJHKrobwcs2ozEmLiVR0F1oJrl+PIZy5MXhBUcCAwEAAaNRME8wCwYDVR0PBAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFIJ1ZhG0dkgwF8OOB/eT4u/9yowaMBAGCSsGAQQBgjcVAQQDAgEAMA0GCSqGSIb3DQEBCwUAA4IBAQBvDQ4Epr0zxQHuyziDtlauddVsrLpckljHc+dCIhBvGMzGEj47Cb0c/eNt6tHrPThyzRxOHd9GBMX4AxLccPNuCZdWIRTgb4SYzDspGEYDK7v/N5+FvpYdWRgB4msUXhHt36ivH450XuY8Slt+qbQWNVU2+xIkMSSA3mUwnK+hz1GwO/Zc2JYOaVZUrW39EuzNePJ+O6BlgMRMRPNGzgT+xSxt316r/QnVA2sk4IXshdGGMG0VcuzBCyeuiCRP5/2QeFthas5EoXbdlB5eK3VzqLtiKyua/kS/hPuKahN9mI8FZ4TNB+nd6+eRQs2nsnbVOFmmOYu5KkGnDOjTzRh4-----END CERTIFICATE-----

Connection Timed Out

Cortex XSIAM didn’t connect to the syslog receiver in the expected time. This could be because your firewall blocked the connection or because the configuration of the syslog server caused it to drop the connection.

Check the firewall logs and the connection using WireShark.

Connection Refused

The syslog receiver refused the connection. This could be because your firewall blocked the connection or because the configuration of the syslog server caused it to drop the connection.

Check the firewall logs and the connection using WireShark.

Connection Reset

The connection was reset by the syslog receiver. This could be because your firewall blocked the connection or because the configuration of the syslog receiver caused it to drop the connection.

Check the firewall logs and the connection using WireShark.

Certificate Verification Failed

The uploaded certificate couldn’t be verified for one of the following reasons.

  • The certificate doesn't correspond to the certificate on the syslog receiver and can't be validated.

  • The certificate doesn’t have the correct hostname.

  • You are using a certificate chain and didn’t merge the certificates into one certificate.

  • Incorrect certificate: to check that the certificate you are uploading corresponds to the server syslog certificate, use the following openssl command.

    openssl verify -verbose -CAfile cortex_upload_certificate syslog_certificate

    If the certificate is correct, the result is syslog_certificate: OK.

  • Incorrect hostname: make sure that the hostname/ip in the certificate matches the syslog server.

  • Certificate chain: If you are using a list of certificates, merge the chain into one certificate. You can concatenate the certificates using the following cat command in Linux or macOS.

    cat intermediate_cert root_cert > merged_syslog.crt 

    If the concatenated certificate doesn’t work, change the order of the root and intermediate certificates, and try again.

    To verify that the chain certificate was saved correctly, use the following openssl command.

    openssl verify -verbose -CAfile cortex_upload_certificate syslog_certificate

    If the certificate is correct, the result is syslog_certificate: OK.

Connection Terminated Abruptly

The firewall or the syslog receiver dropped the connection unexpectedly. This could be because the firewall on the customer side limits the number of connections, the configuration on the syslog receiver drops the connection, or the network is unstable.

Check the firewall logs and the connection using WireShark.

Host Unreachable

The network configuration is faulty and the connection can't reach the syslog receiver.

Check the network configuration to make sure that everything is configured correctly like a firewall or a load balancer which may be accidentally directing the connection to a dead server.

SSL Error

Unknown SSL error.

To investigate the issue, contact support.

Connection Unavailable

General error.

To investigate the issue, contact support.