Add and manage syslog servers. Define the syslog server parameters.
To send Cortex XSOAR audit notifications to your syslog server, you need to enable access in your firewall configuration and define the settings for the server in Cortex XSOAR.
To view, manage, and create a syslog server, go to Settings & Info → Settings → Integrations → Syslog Servers.
For an existing syslog server, right-click on a row to edit, delete, or send a test message. If a message fails, see the troubleshooting section.
The Status field displays a Valid or Invalid TCP connection. Cortex XSOAR tests the connection with the syslog server every 10 minutes.
Note
Cortex XSOAR supports OpenSSL 1.1.1 and later.
Before you begin, you need to enable access to the following Cortex XSOAR IP addresses for your region in your firewall.
Region | Log Forwarding IP Addresses |
---|---|
United States (US) |
|
Germany (DE) |
|
Europe (EU) |
|
Canada (CA) |
|
United Kingdom (UK) |
|
Singapore (SG) |
|
Japan (JP) |
|
Australia (AU) |
|
United States - Government |
|
India (IN) |
|
Switzerland (CH) |
|
Italy (IT) |
|
Poland (PL) |
|
South Korea (KR) |
|
Taiwan (TW) |
|
Qatar (QT) |
|
France (FA) |
|
Israel (IL) |
|
Saudi Arabia (SA) |
|
Select Settings & Info → Settings → Integrations → Syslog Servers → New Server.
Define the syslog server parameters.
Parameter
Description
Name
Unique name for the server profile.
Destination
IP address or fully qualified domain name (FQDN) of the syslog server.
Port
The port number on which to send syslog messages.
Facility
Select the syslog standard values. The value maps to how your syslog server uses the facility field to manage messages. For details on the facility field, see RFC 5424.
Protocol
Select a method of communication:
TCP: No validation is made on the connection with the syslog server. However, if an error occurs with the domain used to make the connection, the Test connection will fail.
UDP: No error checking, error correction, or acknowledgment. No validation is done for the connection or when sending data.
TCP + SSL: Cortex XSOAR validates the syslog server certificate and uses the certificate signature and public key to encrypt the data sent over the connection.
Certificate
The communication between Cortex XSOAR and the syslog destination can use TLS. If so, upon connection, Cortex XSOAR validates that the syslog receiver has a certificate signed by either a trusted root CA or a self-signed certificate. You may need to merge the root and intermediate certificates if you receive a certificate error when using a public certificate.
If your syslog receiver uses a self-signed CA, Browse and upload your self-signed syslog receiver CA. If you only use a trusted root CA leave the certificate field empty.
Note
Up to TLS 1.2 is supported.
If you use a self-signed CA, ensure the self-signed CA includes your public key.
You can ignore certificate errors. For security reasons, this is not recommended. If you choose this option, logs will be forwarded even if the certificate contains errors.
Test the parameters to ensure a valid connection.
Create the syslog server.
You can define up to five syslog servers. Upon success, the table displays the syslog servers and their status.
Set up management audit notification forwarding. For more information, see Configure log and notification forwarding.
The following table described the Syslog features.
Syslog Feature | Details |
---|---|
Supported format | RFC 5424. For more information, see RFC 5424. |
Supported protocols |
NoteUnix protocol is not supported. |
Structure | Syslog Header <9>: PRI (priority field) 1: version number 2020-03-22T07:55:07.964311Z: timestamp of when the log was sent cortexxsoar: host name CEG Header HEADER/Vendor=" Palo Alto Networks" (as a constant string) HEADER/Device Product="Cortex XSOAR" (as a constant string) HEADER/Device Version= Cortex XSOAR versionHEADER/Severity=(integer/0 - Unknown, 6 - Low, 8 - Medium, 9 - High) HEADER/Device Event Class ID=" Management Audit Logs" (as a constant string) HEADER/name = type CEF Body suser=user end=timestamp externalId=external_id cs1Label=email (constant string) cs1=user_mail cs2Label=subtype (constant string) cs2=subtype cs3Label=result (constant string) cs3=result cs4Label=reason (constant string) cs4=reason msg=event_description tenantname=tenant_name tenantCDLid=tenant_id CSPaccountname=csp_id NoteThe TAG field is not supported. Priority is calculated based on facility (which is by default user action) and event severity, and cannot be overridden. |
Login message | Cortex XSOAR 8 login message example <14>1 2023-06-15T14:43:42.049391Z cortexxsoar - - - - CEF:0 |Palo Alto Networks|Cortex XSOAR|Cortex XSOAR 8.3.0 |Management Audit Logs|AUTH|0|suser=John Smith end=1686840220823 externalId=238 cs1Label=email cs1=jsmith@example.com cs2Label=subtype cs2=Login cs3Label=result cs3=SUCCESS cs4Label=reason cs4=None msg=None tenantname=XSOAR Migration 1 tenantCDLid=9997230752790 CSPaccountname=211459 |
Playbook edit | Cortex XSOAR 8 playbook edit example <14>1 2023-06-27T14:44:31.830917Z cortexxsoar - - - - CEF:0 |Palo Alto Networks|Cortex XSOAR|Cortex XSOAR 8.3.0 |Management Audit Logs|XSOAR|0|suser=jSmith end=1687877065870 externalId=728 cs1Label=email cs1=jsmith@example.com cs2Label=subtype cs2=Edit - Playbook cs3Label=result cs3=SUCCESS cs4Label=reason cs4=None msg=playbookName: test, ID: 9026be69-587f-4d15-8bc3-79f9e7e29dba tenantname=XSOAR Migration 3 tenantCDLid=9996914629072 CSPaccountname=211459 |
When configuring a syslog server, Cortex XSOAR sends a test message. You can also manually send a test message, by going to Settings & Info → Settings → Integrations → Syslog Servers, right-click the syslog server you want to test, and select Send test message.
If a test message cannot be sent, Cortex XSOAR displays an error message to help you troubleshoot. Below are the descriptions and suggested solutions for the error messages.
Error Message | Description | Solution |
---|---|---|
Host Resolving Failed | The IP address or hostname you provided does not exist, or cannot be resolved. | Ensure you have the correct IP address or hostname. |
Configured Local Address | The IP address or hostname you provided is internal and cannot be used. | Ensure you have the correct IP address or hostname. |
Wrong Certificate Format | The certificate you uploaded is in an unexpected format and cannot be used. The certificate must be an ASCII string or a bytes-like object. | Recreate the certificate in the correct format, for example: -----BEGIN CERTIFICATE-----MIIDHTCCAgWgAwIBAgIQSwieRyGdh6BNRQyp406bnTANBgkqhkiG9w0BAQsFADAhMR8wHQYDVQQDExZTVVJTLUNoYXJsaWVBbHBoYS1Sb290MB4XDTIwMDQzMDE4MjEzNFoXDTMwMDQzMDE4MzEzNFowITEfMB0GA1UEAxMWU1VSUy1DaGFybGllQWxwaGEtUm9vdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJHH2HR/CzVzm9lOIu6rrtF9opYeIJdtgJR2Le7w4M56lFKIoziAfZD9qR0DqXpAV+42PZC8Oe4ueweD44OKTnaofbOxQvygelvHkFyAj+oz0VppzhmeUXh1Eux96QKB+Q+vSm8FbNlBL2SI8RhceYsWtZe5vBm/zDdV2alO5LJ3rEj9ycG1a7re1wSDQ67NaSrny+C/7IL5utlVspcgjslEiGM7D30uKszpq3CCeV9f7aPHCVZbbFRBxe4cbgZjGvE7Mm1OBbsypMT3z8jmSj7Kz5ui6R8mlqtll5MkIGtvmc1aypJHKrobwcs2ozEmLiVR0F1oJrl+PIZy5MXhBUcCAwEAAaNRME8wCwYDVR0PBAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFIJ1ZhG0dkgwF8OOB/eT4u/9yowaMBAGCSsGAQQBgjcVAQQDAgEAMA0GCSqGSIb3DQEBCwUAA4IBAQBvDQ4Epr0zxQHuyziDtlauddVsrLpckljHc+dCIhBvGMzGEj47Cb0c/eNt6tHrPThyzRxOHd9GBMX4AxLccPNuCZdWIRTgb4SYzDspGEYDK7v/N5+FvpYdWRgB4msUXhHt36ivH450XuY8Slt+qbQWNVU2+xIkMSSA3mUwnK+hz1GwO/Zc2JYOaVZUrW39EuzNePJ+O6BlgMRMRPNGzgT+xSxt316r/QnVA2sk4IXshdGGMG0VcuzBCyeuiCRP5/2QeFthas5EoXbdlB5eK3VzqLtiKyua/kS/hPuKahN9mI8FZ4TNB+nd6+eRQs2nsnbVOFmmOYu5KkGnDOjTzRh4-----END CERTIFICATE----- |
Connection Timed Out | Cortex XSOAR did not connect to the syslog server in the expected time, possibly because your firewall blocked the connection or the syslog server configuration caused it to drop the connection. | Check the firewall logs and the connection using a tool such as Wireshark. |
Connection Refused | The syslog server refused the connection, possibly because your firewall blocked the connection or the syslog server configuration caused it to drop the connection. | Check the firewall logs and the connection using a connection network packet analyzer, such as Wireshark. |
Connection Reset | The connection was reset by the syslog server, possibly because your firewall blocked the connection or the syslog server configuration caused it to drop the connection. | Check the firewall logs and the connection using a connection network packet analyzer, such as Wireshark. |
Certificate Verification Failed | The uploaded certificate could not be verified for one of the following reasons: | |
The certificate does not correspond to the certificate on the syslog server and cannot be validated. | Check that the certificate you are uploading corresponds to the syslog server certificate, use the following
If the certificate is correct, the result is | |
The certificate does not have the correct hostname. | Ensure that the hostname/IP address in the certificate matches the syslog server. | |
You are using a certificate chain and did not merge the certificates into one certificate. | If you are using a list of certificates, merge the chain into one certificate. You can concatenate the certificates using the following cat command in Linux or macOS.
If the concatenated certificate doesn’t work, change the order of the root and intermediate certificates, and try again. To verify that the chain certificate was saved correctly, use the following openssl command.
If the certificate is correct, the result is | |
Connection Terminated Abruptly | The firewall or the syslog server dropped the connection unexpectedly. This could be because the firewall on the customer side limits the number of connections, the configuration on the syslog server drops the connection, or the network is unstable. | Check the firewall logs and the connection using a connection network packet analyzer, such as Wireshark. |
Host Unreachable | The network configuration is faulty and the connection can't reach the syslog server. | Check the network configuration to verify everything is configured correctly, such as a firewall or a load balancer which may be accidentally directing the connection to a dead server. |
SSL Error | Unknown SSL error. | To investigate the issue, contact customer support. |
Connection Unavailable | General error. | To investigate the issue, contact customer support. |