Integrate a Syslog Receiver

If you want to send Cortex XDR notifications to a Syslog receiver, you can set up log forwarding to the receiver.
To send Cortex XDR notifications to your Syslog server, you need to define the settings for the Syslog receiver from which you want to send notifications.
  1. Before you define the Syslog settings, enable access to the following Cortex XDR IP addresses for your deployment region in your firewall configurations:
    Region
    Log Forwarding IP Addresses
    United States - Americas (US)
    • 35.232.87.9
    • 35.224.66.220
    Netherlands - Europe (EU)
    • 34.90.202.186
    • 34.90.105.250
    Canada (CA)
    • 35.203.54.204
    • 35.203.52.255
    United Kingdom (UK)
    • 34.105.227.105
    • 34.105.149.197
    Singapore (SG)
    • 35.240.192.37
    • 34.87.125.227
    Japan (JP)
    • 34.84.88.183
    • 35.243.76.189
    Australia (AU)
    • 35.189.38.167
    • 34.87.219.39
    United States - Government
    • 104.198.222.185
    • 35.239.59.210
    India (IN)
    • 34.93.247.41
    • 34.93.183.131
  2. Select
    Settings ( )
    Configurations
    Integrations
    External Applications
    .
  3. In
    Syslog Servers
    , add a
    + New Server
    .
  4. Define the Syslog server parameters:
    • Name
      —Unique name for the server profile.
    • Destination
      —IP address or fully qualified domain name (FQDN) of the Syslog server.
    • Port
      —The port number on which to send Syslog messages.
    • Facility
      —Choose one of the Syslog standard values. The value maps to how your Syslog server uses the facility field to manage messages. For details on the facility field, see RFC 5424.
    • Protocol
      —Select a method of communication with the Syslog server:
      • TCP
        —No validation is made on the connection with the Syslog server. However, if an error occurred with the domain used to make the connection, the
        Test
        connection will fail.
      • UDP
        —Cortex XDR runs a validation to ensure connection was made with the syslog server.
      • TCP + SSL
        —Cortex XDR validates the syslog server certificate and uses the certificate signature and public key to encrypt the data sent over the connection.
    • Certificate
      —The communication between Cortex XDR and the Syslog destination can use TLS. In this case, upon connection, Cortex XDR validates that the Syslog receiver has a certificate signed by either a
      trusted root CA
      or a
      self-signed certificate
      . Cortex XDR validates that the Syslog receiver has a certificate signed by either a trusted root CA or a self signed certificate. You may need to merge the Root and Intermediate certificate if you receive a certificate error when using a public certificate.
      Up to TLS 1.2 is supported.
      If your Syslog receiver uses a self signed CA,
      Browse
      and upload your self-signed Syslog receiver CA.
      Make sure the self-signed CA includes your public key.
      If you only use a trusted root CA leave the
      Certificate
      field empty.
    • Ignore Certificate Error
      —Cortex XDR does not recommend, but you can choose to select this option to ignore certificate errors if they occur. This will forward alerts and logs even if the certificate contains errors.
  5. Test
    the parameters to ensure a valid connection and
    Create
    when ready.
    You can define up to five Syslog servers. Upon success, the table displays the Syslog servers and their status.
  6. (
    Optional
    ) Manage your Syslog server connection.
    In the
    Syslog Servers
    table
    • Locate your Syslog server and right-click to
      Send text message
      to test the connection.
      Cortex XDR sends a message to the defined Syslog server which you can check to see if the test message indeed arrived.
    • Locate the
      Status
      field.
      The
      Status
      field displays a
      Valid
      or
      Invalid
      TCP connection. Cortex XDR tests connection with the Syslog server every 10min. If no connection is found after 1 hour, Cortex XDR send a notice to the Notification Center.
    If you find the Syslog data limited, Cortex XDR recommended to run the Get Alerts API for complete alert data.
  7. After you integrate with your Syslog receiver, you can configure your forwarding settings.

Recommended For You