Syslog server management - Administrator Guide - 8 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Cloud Documentation

Product
Cortex XSOAR
Version
8
Creation date
2024-03-07
Last date published
2025-02-11
Category
Administrator Guide
Solution
Cloud
Abstract

Add and manage syslog servers. Define the syslog server parameters.

To send Cortex XSOAR audit notifications to your syslog server, you need to enable access in your firewall configuration and define the settings for the server in Cortex XSOAR.

To view, manage, and create a syslog server, go to Settings & InfoSettingsIntegrationsSyslog Servers.

For an existing syslog server, right-click on a row to edit, delete, or send a test message. If a message fails, see the troubleshooting section.

The Status field displays a Valid or Invalid TCP connection. Cortex XSOAR tests the connection with the syslog server every 10 minutes.

Note

Cortex XSOAR supports OpenSSL 1.1.1 and later.

Before you begin, you need to enable access to the following Cortex XSOAR IP addresses for your region in your firewall.

  1. Select Settings & InfoSettingsIntegrationsSyslog ServersNew Server.

  2. Define the syslog server parameters.

    Parameter

    Description

    Name

    Unique name for the server profile.

    Destination

    IP address or fully qualified domain name (FQDN) of the syslog server.

    Port

    The port number on which to send syslog messages.

    Facility

    Select the syslog standard values. The value maps to how your syslog server uses the facility field to manage messages. For details on the facility field, see RFC 5424.

    Protocol

    Select a method of communication:

    • TCP: No validation is made on the connection with the syslog server. However, if an error occurs with the domain used to make the connection, the Test connection will fail.

    • UDP: No error checking, error correction, or acknowledgment. No validation is done for the connection or when sending data.

    • TCP + SSLCortex XSOAR validates the syslog server certificate and uses the certificate signature and public key to encrypt the data sent over the connection.

    Certificate

    The communication between Cortex XSOAR  and the syslog destination can use TLS. If so, upon connection, Cortex XSOAR validates that the syslog receiver has a certificate signed by either a trusted root CA or a self-signed certificate. You may need to merge the root and intermediate certificates if you receive a certificate error when using a public certificate.

    If your syslog receiver uses a self-signed CA, Browse and upload your self-signed syslog receiver CA. If you only use a trusted root CA leave the certificate field empty.

    Note

    Up to TLS 1.2 is supported.

    If you use a self-signed CA, ensure the self-signed CA includes your public key.

    You can ignore certificate errors. For security reasons, this is not recommended. If you choose this option, logs will be forwarded even if the certificate contains errors.

  3. Test the parameters to ensure a valid connection.

  4. Create the syslog server.

    You can define up to five syslog servers. Upon success, the table displays the syslog servers and their status.

  5. Set up management audit notification forwarding. For more information, see Configure log and notification forwarding.

The following table described the Syslog features.

Syslog Feature

Details

Supported format

RFC 5424. For more information, see RFC 5424.

Supported protocols

  • UDP

  • TCP

  • TLS

Note

Unix protocol is not supported.

Structure

Note

The TAG field is not supported.

Priority is calculated based on facility (which is by default user action) and event severity, and cannot be overridden.

Login message

Playbook edit

When configuring a syslog server, Cortex XSOAR sends a test message. You can also manually send a test message, by going to Settings & InfoSettingsIntegrationsSyslog Servers, right-click the syslog server you want to test, and select Send test message.

If a test message cannot be sent, Cortex XSOAR displays an error message to help you troubleshoot. Below are the descriptions and suggested solutions for the error messages.

Error Message

Description

Solution

Host Resolving Failed

The IP address or hostname you provided does not exist, or cannot be resolved.

Ensure you have the correct IP address or hostname.

Configured Local Address

The IP address or hostname you provided is internal and cannot be used.

Ensure you have the correct IP address or hostname.

Wrong Certificate Format

The certificate you uploaded is in an unexpected format and cannot be used.

The certificate must be an ASCII string or a bytes-like object.

Recreate the certificate in the correct format, for example:

-----BEGIN CERTIFICATE-----MIIDHTCCAgWgAwIBAgIQSwieRyGdh6BNRQyp406bnTANBgkqhkiG9w0BAQsFADAhMR8wHQYDVQQDExZTVVJTLUNoYXJsaWVBbHBoYS1Sb290MB4XDTIwMDQzMDE4MjEzNFoXDTMwMDQzMDE4MzEzNFowITEfMB0GA1UEAxMWU1VSUy1DaGFybGllQWxwaGEtUm9vdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJHH2HR/CzVzm9lOIu6rrtF9opYeIJdtgJR2Le7w4M56lFKIoziAfZD9qR0DqXpAV+42PZC8Oe4ueweD44OKTnaofbOxQvygelvHkFyAj+oz0VppzhmeUXh1Eux96QKB+Q+vSm8FbNlBL2SI8RhceYsWtZe5vBm/zDdV2alO5LJ3rEj9ycG1a7re1wSDQ67NaSrny+C/7IL5utlVspcgjslEiGM7D30uKszpq3CCeV9f7aPHCVZbbFRBxe4cbgZjGvE7Mm1OBbsypMT3z8jmSj7Kz5ui6R8mlqtll5MkIGtvmc1aypJHKrobwcs2ozEmLiVR0F1oJrl+PIZy5MXhBUcCAwEAAaNRME8wCwYDVR0PBAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFIJ1ZhG0dkgwF8OOB/eT4u/9yowaMBAGCSsGAQQBgjcVAQQDAgEAMA0GCSqGSIb3DQEBCwUAA4IBAQBvDQ4Epr0zxQHuyziDtlauddVsrLpckljHc+dCIhBvGMzGEj47Cb0c/eNt6tHrPThyzRxOHd9GBMX4AxLccPNuCZdWIRTgb4SYzDspGEYDK7v/N5+FvpYdWRgB4msUXhHt36ivH450XuY8Slt+qbQWNVU2+xIkMSSA3mUwnK+hz1GwO/Zc2JYOaVZUrW39EuzNePJ+O6BlgMRMRPNGzgT+xSxt316r/QnVA2sk4IXshdGGMG0VcuzBCyeuiCRP5/2QeFthas5EoXbdlB5eK3VzqLtiKyua/kS/hPuKahN9mI8FZ4TNB+nd6+eRQs2nsnbVOFmmOYu5KkGnDOjTzRh4-----END CERTIFICATE-----

Connection Timed Out

Cortex XSOAR did not connect to the syslog server in the expected time, possibly because your firewall blocked the connection or the syslog server configuration caused it to drop the connection.

Check the firewall logs and the connection using a tool such as Wireshark.

Connection Refused

The syslog server refused the connection, possibly because your firewall blocked the connection or the syslog server configuration caused it to drop the connection.

Check the firewall logs and the connection using a connection network packet analyzer, such as Wireshark.

Connection Reset

The connection was reset by the syslog server, possibly because your firewall blocked the connection or the syslog server configuration caused it to drop the connection.

Check the firewall logs and the connection using a connection network packet analyzer, such as Wireshark.

Certificate Verification Failed

The uploaded certificate could not be verified for one of the following reasons:

The certificate does not correspond to the certificate on the syslog server and cannot be validated.

Check that the certificate you are uploading corresponds to the syslog server certificate, use the following openssl command.

openssl verify -verbose -CAfile cortex_upload_certificate syslog_certificate

If the certificate is correct, the result is syslog_certificate: OK.

The certificate does not have the correct hostname.

Ensure that the hostname/IP address in the certificate matches the syslog server.

You are using a certificate chain and did not merge the certificates into one certificate.

If you are using a list of certificates, merge the chain into one certificate. You can concatenate the certificates using the following cat command in Linux or macOS.

cat intermediate_cert root_cert > merged_syslog.crt

If the concatenated certificate doesn’t work, change the order of the root and intermediate certificates, and try again.

To verify that the chain certificate was saved correctly, use the following openssl command.

openssl verify -verbose -CAfile cortex_upload_certificate syslog_certificate

If the certificate is correct, the result is syslog_certificate: OK.

Connection Terminated Abruptly

The firewall or the syslog server dropped the connection unexpectedly. This could be because the firewall on the customer side limits the number of connections, the configuration on the syslog server drops the connection, or the network is unstable.

Check the firewall logs and the connection using a connection network packet analyzer, such as Wireshark.

Host Unreachable

The network configuration is faulty and the connection can't reach the syslog server.

Check the network configuration to verify everything is configured correctly, such as a firewall or a load balancer which may be accidentally directing the connection to a dead server.

SSL Error

Unknown SSL error.

To investigate the issue, contact customer support.

Connection Unavailable

General error.

To investigate the issue, contact customer support.