Use https://seceonhelp.freshdesk.com/support/login to access updated Knowledge Base Articles, Submit Technical Support Tickets and Review Status of submitted support tickets.

Cortex XDR: Log Configuration

Owned by Customer Success & Engineering (Unlicensed)
Last updated: Jan 18, 2023
1 min read

 

Overview:

To send Cortex XDR notifications to your Syslog server, you need to define the settings for the Syslog receiver from which you want to send notifications.

Configuration:

1.Select Settings -->Configurations-->Integrations-->External Applications.

2.In Syslog Servers, add a + New Server.

3.Define the Syslog server parameters:

  1. Name

    —Unique name for the server profile.

  2. Destination

    —IP address of CCE.

  3. Port

    —514 UDP Port

  4. Facility

    —Choose one of the Syslog standard values. The value maps to how your Syslog server uses the facility field to manage messages. For details on the facility field, see RFC 5424.

  5. Protocol

    • UDP

      —Cortex XDR runs a validation to ensure connection was made with the syslog server.

Verification:

1)From GUI: Login on the GUI and go into logs flow collection status to verify the device.

2)From CCE: Also , We can verify from CCE-

Login on CCE as seceon user and run the below command to make sure logs are coming on

the server or not- sudo tcpdump -i any port 514 and host <device_ip>

Ref: https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/logs/integrate-a-syslog-receiver-for-outbound-notifications#forward-logs-to-a-syslog-receiver

Seceon Inc. All rights reserved. https://www.seceon.com