1. Home
    2. Security Operations
    3. Cortex XDR
    4. Cortex® XDR Pro Administrator’s Guide
    5. Broker VM
    6. Set up Broker VM
    7. Activate the Syslog Collector

    Activate the Syslog Collector

    Learn how to set up and activate the Syslog Collector applet on a broker VM within your network.
    Ingesting Logs and Data from external sources requires a
    Cortex
    XDR
     Pro per TB license.
    To receive Syslog data from an external source, you must first set up the Syslog Collector applet on a Broker VM within your network. The Syslog Collector supports a log ingestion rate of 90,000 logs per second (lps) with the recommended Broker VM setup.
    To increase the log ingestion rate, you can add additional CPUs to the broker VM. The Syslog Collector listens for logs on specific ports and from any or specific IP addresses.
    1. If you haven’t already done so, Configure the Broker VM.
    2. In
      Cortex
      XDR
      , navigate to
      Settings
      Configurations
      Data Broker
      Broker VMs
       and locate your broker VM.
    3. Right-click the broker VM and select
      Syslog Collector
      Activate
      .
    4. Configure your Syslog Collector:
      Cortex
      XDR
       supports multiple sources over a single port on a single Syslog Collector. The following options are available.
      • Edit the
        Optional Settings
         of the default
        PORT/PROTOCOL
        :
        514/UDP
        . See
        Step 5
        .
        Once configured, you cannot change the
        Port/PROTOCOL
        . If you don’t want to use a data source, ensure to remove the data source from the list as explained in
        Step 7
        .
      • Add a new Syslog Collector data source. See
        Step 6
        .
    5. Edit the default
      514/UDP
       Syslog Collector data source:
      1. Right-click the
        514/UDP
         PORT/PROTOCOL, and select
        Edit
        .
      2. Configure these
        Optional Settings
        :
        • Format
          —Select the Syslog format you want to send to the UDP 514 protocol and port on the Syslog Collector:
          Auto-Detect
           (default),
          CEF
          ,
          LEEF
          ,
          CISCO
          ,
          CORELIGHT
          , or
          RAW
          • The
            Vendor
             and
            Product
             defaults to
            Auto-Detect
             when the
            Log Format
             is set to
            CEF
             or
            LEEF
            .
          • For a
            Log Format
             set to
            CEF
             or
            LEEF
            ,
            Cortex
            XDR
             reads events row by row to look for the
            Vendor
             and
            Product
             configured in the logs. When the values are populated in the event log row,
            Cortex
            XDR
             uses these values even if you specified a value in the
            Vendor
             and
            Product
             fields in the Syslog Collector settings. Yet, when the values are blank in the event log row,
            Cortex
            XDR
             uses the
            Vendor
             and
            Product
             that you specified in the Syslog Collector settings. If you did not specify a
            Vendor
             or
            Product
             in the Syslog Collector settings and the values are blank in the event log row, the values for both fields are set to
            unknown
            .
        • Vendor
          —Specify a particular vendor for the Syslog format defined or leave the default
          Auto-Detect
           setting.
        • Product
          —Specify a particular product for the Syslog format defined or leave the default
          Auto-Detect
           setting.
        • Source Network
          —Specify the IP address or Classless Inter-Domain Routing (CIDR). If you leave this blank,
          Cortex
          XDR
           will allow receipt of logs from any source IP address or CIDR that transmits over the specified protocol and port. When you specify overlapping addresses in the
          Source Network
           field in multiple rows, such as 10.0.0.10 in the first row and 10.0.0.0/24 in the second row, the order of the addresses matter. In this example, the IP address 10.0.0.10 is only captured from the first row definition. For more information on prioritizing the order of the syslog formats, see
          Step #7
          .
        After each configuration, select to save the changes and then
        Done
         to update the Syslog Collector with your settings.
    6. Add a new Syslog Collector data source:
      1. Select
        Add New
        .
      2. Configure these mandatory
        General settings
        :
        • Protocol
          —Choose a protocol over which the Syslog will be sent:
          UDP
          ,
          TCP
          , or
          Secure TCP
        • Port
          —Choose a port on which the Syslog Collector will listen for logs.
          Because some port numbers are reserved by
          Cortex
          XDR
          , you must choose a port number that is not:
          -In the range of 0-1024 (except for 514)
          -In the range of 63000-65000
          -Values of 4369, 5671, 5672, 5986, 6379, 8000, 8888, 9100, 15672, or 28672
        • When configuring the
          Protocol
           as
          Secure TCP
          , these additional
          General Settings
           are available:
          • Server Certificate
            Browse
             to your server certificate to configure server authentication.
          • Private Key
            Browse
             to your private key for the server certificate.
          • Optional CA Certificate
            —(
            Optional
            )
            Browse
             to your CA certificate for mutual authentication.
          • Minimal TLS Version
            —Select either
            1.0
             or
            1.2
             (default) as the minimum TLS version allowed.
          Cortex
          XDR
           will notify you when your certificates are about to expire.
      3. Configure these
        Optional Settings
        :
        • Format
          —Select the Syslog format you want to send to the UDP/514 protocol and port on the Syslog Collector:
          Auto-Detect
           (default),
          CEF
          ,
          LEEF
          ,
          CISCO
          ,
          CORELIGHT
          , or
          RAW
        • Vendor
          —Enter a particular vendor for the Syslog format defined or leave the default
          Auto-Detect
           setting.
        • Product
          —Enter a particular product for the Syslog format defined or leave the default
          Auto-Detect
           setting.
        • Source Network
          —Specify the IP address or Classless Inter-Domain Routing (CIDR). If you leave this blank,
          Cortex
          XDR
           will allow receipt of logs from any source IP address or CIDR that transmits over the specified protocol and port. When you specify overlapping addresses in the
          Source Network
           field in multiple rows, such as 10.0.0.10 in the first row and 10.0.0.0/24 in the second row, the order of the addresses matter. In this example, the IP address 10.0.0.10 is only captured from the first row definition. For more information on prioritizing the order of the syslog formats, see
          Step #7
          .
        After each configuration, select to save the changes and then
        Done
         to update the Syslog Collector with your settings.
    7. Make additional changes to the Syslog Collector data sources configured.
      • To remove a Syslog Collector data source, right-click the row after the
        Port/Protocol
         entry, and select
        Remove
        .
      • To prioritize the order of the Syslog formats listed for the protocols and ports configured, drag and drop the rows to the order you require.
    8. Save
       the Syslog Collector settings.
      After a successful activation, the
      Apps
       field, for the broker VM which you configured the Syslog Collector, displays
      Syslog Collector - Active, Connected
      .
    9. (
      Optional
      ) To view metrics about the Syslog Collector, hover over the
      Syslog Collector
       link in the Apps field.
      Cortex
      XDR
       displays the following information.
      • Connectivity Status
        —Whether the applet is connected to
        Cortex
        XDR
        .
      • Logs Received
         and
        Logs Sent
        —Number of logs received and sent by the applet per second over the last 24 hours. If the number of incoming logs received is larger than the number of logs sent, it could indicate a connectivity issue.
      • Resources
        —Displays the amount of
        CPU
        ,
        Memory
        , and
        Disk
         space the applet is using.
    10. Manage the Syslog Collector.
      After the Syslog Collector has been activated, you can make additional changes to your configuration if needed. To modify a configuration, right-click your broker VM and select:
      • Syslog Collector
        Configure
         to redefine the Syslog configurations.
      • Syslog Collector
        Deactivate
         to disable the Syslog Collector.

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2022 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo