https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/ingest-logs-from-cisco-ise-to-cortex-xdr/m-p/475305#M1745 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/171314">@weejh</a>&nbsp;I suggest to by confirming the CISCO ISE Syslog format. Cortex XDR can receive Syslog from vendors that use CEF or LEEF formatted over Syslog (TLS not supported). You may reference the <A href="https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/external-data-ingestion/about-external-data-ingestion.html#about-external-data-ingestion" target="_self">external data ingestion vendor support</A> for additional details on log/data types and vendor support (E.g. custom external sources).&nbsp;</P> Wed, 23 Mar 2022 20:55:32 GMT WSeldenIII 2022-03-23T20:55:32Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/ingest-logs-from-cisco-ise-to-cortex-xdr/m-p/474860#M1739 <P>Hi&nbsp;</P><P>&nbsp;</P><P>Anyone successfully ingest logs from Cisco ISE to Cortex XDR via syslog?</P><P>&nbsp;</P><P>I've activated the syslog collector of broker VM for TCP514 and format set to auto detect, following this&nbsp;<A href="https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/broker-vm/set-up-broker-vm/activate-the-syslog-collector" target="_self">documentation</A>, and configured the Cisco ISE to forward the logs to broker VM accordingly.</P><P>&nbsp;</P><P>However, when I&nbsp;hover over the Syslog Collector link in the Apps field of the broker VM, the metrices of Syslog Collector is always 0 logs/s for logs received or logs sent, see screenshots for detail.</P><P>&nbsp;</P><P>Any guidance if I missed anything?</P><P>Are there any methods to verify the syslog is ingesting to Cortex XDR properly?</P><P>&nbsp;</P><P>Thanks.</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="weejh_0-1647926849547.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/39784iD9529412C98CCE34/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="weejh_0-1647926849547.png" alt="weejh_0-1647926849547.png" /></span></P><P>&nbsp;</P> Tue, 22 Mar 2022 05:39:56 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/ingest-logs-from-cisco-ise-to-cortex-xdr/m-p/474860#M1739 weejh 2022-03-22T05:39:56Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/ingest-logs-from-cisco-ise-to-cortex-xdr/m-p/475305#M1745 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/171314">@weejh</a>&nbsp;I suggest to by confirming the CISCO ISE Syslog format. Cortex XDR can receive Syslog from vendors that use CEF or LEEF formatted over Syslog (TLS not supported). You may reference the <A href="https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/external-data-ingestion/about-external-data-ingestion.html#about-external-data-ingestion" target="_self">external data ingestion vendor support</A> for additional details on log/data types and vendor support (E.g. custom external sources).&nbsp;</P> Wed, 23 Mar 2022 20:55:32 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/ingest-logs-from-cisco-ise-to-cortex-xdr/m-p/475305#M1745 WSeldenIII 2022-03-23T20:55:32Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/ingest-logs-from-cisco-ise-to-cortex-xdr/m-p/475353#M1746 <P>In case that your Cisco is not sending CEF or LEEF, you could still parse the logs so that xdr will, so to say, "understand" them.&nbsp;</P><P><A href="https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/data-management/create-parsing-rules.html" target="_blank">https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/data-management/create-parsing-rules.html</A><BR />I would also check how are you sending them and how is broker vm listening to them. Meaning as WSeldenIII pointed (TLS is not supported), which port are you using ? standard 514 port for syslog ? tcp/udp (confirmed/unconfirmed). Check also that no Fw is dropping your traffic and that cisco can reach broker vm (network routes, etc...)&nbsp;</P> Wed, 23 Mar 2022 22:44:35 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/ingest-logs-from-cisco-ise-to-cortex-xdr/m-p/475353#M1746 eluis 2022-03-23T22:44:35Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/ingest-logs-from-cisco-ise-to-cortex-xdr/m-p/475420#M1747 <P>Hi</P><P>Hi</P><P>&nbsp;</P><P>Thanks for the update.</P><P>&nbsp;</P><P>Yes, I need to confirm Cisco ISE syslog format, which I missed it earlier.</P><P>&nbsp;</P><P>&nbsp;</P> Thu, 24 Mar 2022 06:57:42 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/ingest-logs-from-cisco-ise-to-cortex-xdr/m-p/475420#M1747 weejh 2022-03-24T06:57:42Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/ingest-logs-from-cisco-ise-to-cortex-xdr/m-p/475423#M1748 <P>Hi</P><P>&nbsp;</P><P>Thanks for the update.</P><P>&nbsp;</P><P>I believe the Cisco ISE syslog format may not be&nbsp; CEF or LEEF formatted and need to create necessary parsing rules.</P><P>&nbsp;</P><P>For broker vm is configured to listen to TCP514 and firewall enabled to allow broker vm IP with TCP514.&nbsp;</P> Thu, 24 Mar 2022 07:09:35 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/ingest-logs-from-cisco-ise-to-cortex-xdr/m-p/475423#M1748 weejh 2022-03-24T07:09:35Z