Activate the Syslog Collector
Learn how to set up and activate the Syslog Collector
applet on a broker VM within your network.
Ingesting Logs and Data from external
sources requires a
Cortex
XDR
Pro per TB license.To
receive Syslog data from an external source, you must first set
up the Syslog Collector applet on a Broker VM within your network.
The Syslog Collector supports a log ingestion rate of 90,000 logs
per second (lps) with the recommended Broker VM setup.
To
increase the log ingestion rate, you can add additional CPUs to
the broker VM. The Syslog Collector listens for logs on specific
ports and from any or specific IP addresses.
- If you haven’t already done so, Configure the Broker VM.
- InCortexXDR, navigate toand locate your broker VM.SettingsConfigurationsData BrokerBroker VMs
- Right-click the broker VM and select.Syslog CollectorActivate
- Configure your Syslog Collector:CortexXDRsupports multiple sources over a single port on a single Syslog Collector. The following options are available.
- Edit theOptional Settingsof the defaultPORT/PROTOCOL:514/UDP. SeeStep 5.Once configured, you cannot change thePort/PROTOCOL. If you don’t want to use a data source, ensure to remove the data source from the list as explained inStep 7.
- Add a new Syslog Collector data source. SeeStep 6.
- Edit the default514/UDPSyslog Collector data source:
- Right-click the514/UDPPORT/PROTOCOL, and selectEdit.
- Configure theseOptional Settings:
- Format—Select the Syslog format you want to send to the UDP 514 protocol and port on the Syslog Collector:Auto-Detect(default),CEF,LEEF,CISCO,CORELIGHT, orRAW
- TheVendorandProductdefaults toAuto-Detectwhen theLog Formatis set toCEForLEEF.
- For aLog Formatset toCEForLEEF,CortexXDRreads events row by row to look for theVendorandProductconfigured in the logs. When the values are populated in the event log row,CortexXDRuses these values even if you specified a value in theVendorandProductfields in the Syslog Collector settings. Yet, when the values are blank in the event log row,CortexXDRuses theVendorandProductthat you specified in the Syslog Collector settings. If you did not specify aVendororProductin the Syslog Collector settings and the values are blank in the event log row, the values for both fields are set tounknown.
- Vendor—Specify a particular vendor for the Syslog format defined or leave the defaultAuto-Detectsetting.
- Product—Specify a particular product for the Syslog format defined or leave the defaultAuto-Detectsetting.
- Source Network—Specify the IP address or Classless Inter-Domain Routing (CIDR). If you leave this blank,CortexXDRwill allow receipt of logs from any source IP address or CIDR that transmits over the specified protocol and port. When you specify overlapping addresses in theSource Networkfield in multiple rows, such as 10.0.0.10 in the first row and 10.0.0.0/24 in the second row, the order of the addresses matter. In this example, the IP address 10.0.0.10 is only captured from the first row definition. For more information on prioritizing the order of the syslog formats, seeStep #7.
After each configuration, selectto save the changes and then
Doneto update the Syslog Collector with your settings.
- Add a new Syslog Collector data source:
- SelectAdd New.
- Configure these mandatoryGeneral settings:
- Protocol—Choose a protocol over which the Syslog will be sent:UDP,TCP, orSecure TCP
- Port—Choose a port on which the Syslog Collector will listen for logs.Because some port numbers are reserved byCortexXDR, you must choose a port number that is not:-In the range of 0-1024 (except for 514)-In the range of 63000-65000-Values of 4369, 5671, 5672, 5986, 6379, 8000, 8888, 9100, 15672, or 28672
- When configuring theProtocolasSecure TCP, these additionalGeneral Settingsare available:
- Server Certificate—Browseto your server certificate to configure server authentication.
- Private Key—Browseto your private key for the server certificate.
- Optional CA Certificate—(Optional)Browseto your CA certificate for mutual authentication.
- Minimal TLS Version—Select either1.0or1.2(default) as the minimum TLS version allowed.
- Configure theseOptional Settings:
- Format—Select the Syslog format you want to send to the UDP/514 protocol and port on the Syslog Collector:Auto-Detect(default),CEF,LEEF,CISCO,CORELIGHT, orRAW
- Vendor—Enter a particular vendor for the Syslog format defined or leave the defaultAuto-Detectsetting.
- Product—Enter a particular product for the Syslog format defined or leave the defaultAuto-Detectsetting.
- Source Network—Specify the IP address or Classless Inter-Domain Routing (CIDR). If you leave this blank,CortexXDRwill allow receipt of logs from any source IP address or CIDR that transmits over the specified protocol and port. When you specify overlapping addresses in theSource Networkfield in multiple rows, such as 10.0.0.10 in the first row and 10.0.0.0/24 in the second row, the order of the addresses matter. In this example, the IP address 10.0.0.10 is only captured from the first row definition. For more information on prioritizing the order of the syslog formats, seeStep #7.
After each configuration, selectto save the changes and then
Doneto update the Syslog Collector with your settings.
- Make additional changes to the Syslog Collector data sources configured.
- To remove a Syslog Collector data source, right-click the row after thePort/Protocolentry, and selectRemove.
- To prioritize the order of the Syslog formats listed for the protocols and ports configured, drag and drop the rows to the order you require.
- Savethe Syslog Collector settings.After a successful activation, theAppsfield, for the broker VM which you configured the Syslog Collector, displaysSyslog Collector - Active, Connected.
- (Optional) To view metrics about the Syslog Collector, hover over theSyslog Collectorlink in the Apps field.CortexXDRdisplays the following information.
- Connectivity Status—Whether the applet is connected toCortexXDR.
- Logs ReceivedandLogs Sent—Number of logs received and sent by the applet per second over the last 24 hours. If the number of incoming logs received is larger than the number of logs sent, it could indicate a connectivity issue.
- Resources—Displays the amount ofCPU,Memory, andDiskspace the applet is using.
- Manage the Syslog Collector.After the Syslog Collector has been activated, you can make additional changes to your configuration if needed. To modify a configuration, right-click your broker VM and select:
- to redefine the Syslog configurations.Syslog CollectorConfigure
- to disable the Syslog Collector.Syslog CollectorDeactivate
Recommended For You
Recommended Videos
Recommended videos not found.