Add a Syslog Server - Administrator Guide - 8 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Administrator Guide

Product
Cortex XSOAR
Version
8
Creation date
2024-09-18
Last date published
2024-10-31
Category
Administrator Guide
Solution
Cloud
Retire_Doc
Retiring
Link_to_new_Doc
/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation
Abstract

Add and manage syslog servers. Define the syslog server parameters.

To send Cortex XSOAR audit notifications to your syslog server, you need to enable access in your firewall configuration and to define the settings for the server in Cortex XSOAR.

Note

Cortex XSOAR supports OpenSSL 1.1.1 and later.

  1. Enable access to the following Cortex XSOAR IP addresses for your deployment region in your firewall configurations:

    Region

    Log Forwarding IP Addresses

    United States - Americas (US)

    • 35.232.87.9

    • 35.224.66.220

    Germany (DE)

    • 35.234.95.96

    • 35.246.192.146

    Netherlands - Europe (EU)

    • 34.90.202.186

    • 34.90.105.250

    Canada (CA)

    • 35.203.54.204

    • 35.203.52.255

    United Kingdom (UK)

    • 34.105.227.105

    • 34.105.149.197

    Singapore (SG)

    • 35.240.192.37

    • 34.87.125.227

    Japan (JP)

    • 34.84.88.183

    • 35.243.76.189

    Australia (AU)

    • 35.189.38.167

    • 34.87.219.39

    United States - Government

    • 104.198.222.185

    • 35.239.59.210

    India (IN)

    • 34.93.247.41

    • 34.93.183.131

    Switzerland (CH)

    • 34.65.228.95

    • 34.65.74.83

    Poland (PL)

    • 34.118.45.145

    • 34.118.126.170

    Taiwan (TW)

    • 35.234.2.208

    • 35.185.171.91

    Qatar (QT)

    • 34.18.48.182

    • 34.18.43.40

    France (FA)

    • 34.163.100.253

    • 34.155.72.149

    Israel (IL)

    • 34.165.194.4

    • 34.165.101.105

    Saudi Arabia (SA)

    • 34.166.50.215

    • 34.166.55.72

    Indonesia (ID)

    • 34.101.248.99

    • 34.101.176.232

  2. Go to Settings & InfoSettingsIntegrationsSyslog ServersNew Server.

  3. Define the syslog server parameters.

    Parameter

    Description

    Name

    Unique name for the server profile.

    Destination

    IP address or fully qualified domain name (FQDN) of the syslog server.

    Port

    The port number on which to send syslog messages.

    Facility

    Choose one of the syslog standard values. The value maps to how your syslog server uses the facility field to manage messages. For details on the facility field, see RFC 5424.

    Protocol

    Select a method of communication:

    • TCP - No validation is made on the connection with the syslog server. However, if an error occurred with the domain used to make the connection, the Test connection will fail.

    • UDP - No error checking, error correction, or acknowledgment. No validation is done for the connection or when sending data.

    • TCP + SSL -  Cortex XSOAR validates the syslog server certificate and uses the certificate signature and public key to encrypt the data sent over the connection.

    Certificate

    The communication between Cortex XSOAR  and the syslog destination can use TLS. In this case, upon connection, Cortex XSOAR validates that the syslog receiver has a certificate signed by either a trusted root CA or a self-signed certificate. You may need to merge the root and intermediate certificate if you receive a certificate error when using a public certificate. If your syslog receiver uses a self signed CA, Browse and upload your self-signed syslog receiver CA. If you only use a trusted root CA leave the certificate field empty.

    Note

    Up to TLS 1.2 is supported.

    If you use a self-signed CA, make sure the self-signed CA includes your public key.

    You can ignore certificate errors. For security reasons, this is not recommended. If you choose this option, logs will be forwarded even if the certificate contains errors.

  4. Test the parameters to ensure a valid connection and Create when ready.

    You can define up to five syslog servers. Upon success, the table displays the syslog servers and their status.

Manage Syslog Servers

To manage existing syslog servers, go to Settings & InfoSettingsIntegrationsSyslog Servers. Right-click on a row to edit, delete, or send a test message. If the message fails, refer to Syslog Server Test Message Errors for troubleshooting.Syslog Server Test Message Errors

The Status field displays a Valid or Invalid TCP connection. Cortex XSOAR tests the connection with the syslog server every 10 minutes.