https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/integrate-the-bvm-server-with-siem/m-p/554975#M5022 <P>Hello Team,</P> <P>&nbsp;</P> <P><SPAN><SPAN class="ui-provider fz b c d e f g h i j k l m n o p q r s t u v w x y z ab ac ae af ag ah ai aj ak">We need to change rsyslog.conf file. Please let us know if this file can be changed and is it recommended to integrate the BVM server with the SIEM?</SPAN></SPAN></P> Thu, 24 Aug 2023 03:58:19 GMT RamyashreeMada 2023-08-24T03:58:19Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/integrate-the-bvm-server-with-siem/m-p/554975#M5022 <P>Hello Team,</P> <P>&nbsp;</P> <P><SPAN><SPAN class="ui-provider fz b c d e f g h i j k l m n o p q r s t u v w x y z ab ac ae af ag ah ai aj ak">We need to change rsyslog.conf file. Please let us know if this file can be changed and is it recommended to integrate the BVM server with the SIEM?</SPAN></SPAN></P> Thu, 24 Aug 2023 03:58:19 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/integrate-the-bvm-server-with-siem/m-p/554975#M5022 RamyashreeMada 2023-08-24T03:58:19Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/integrate-the-bvm-server-with-siem/m-p/555060#M5029 <P>Hello Ramyashree,</P> <P>Please confirm, are you looking to&nbsp;<SPAN>forward Cortex Agent logs from Broker VM to SIEM systems?</SPAN></P> Thu, 24 Aug 2023 12:56:01 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/integrate-the-bvm-server-with-siem/m-p/555060#M5029 aspatil 2023-08-24T12:56:01Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/integrate-the-bvm-server-with-siem/m-p/555073#M5032 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/206335">@RamyashreeMada</a>&nbsp;,</P> <P>&nbsp;</P> <P>Thank you for writing to livecommunity!</P> <P>&nbsp;</P> <P>The broker VM is a hardened security appliance managed by Palo Alto Networks only. There is no mechanism to configure the internal files and processes on the broker VM and as a result, it can be integrated only to Cortex XDR instance only.&nbsp; The broker VM can collect logs into Cortex XDR and can be used for syslog collection within the surface of the Cortex XDR solution only. As a result, you cannot integrate it directly to a SIEM.&nbsp;</P> <P>&nbsp;</P> <P>Rather the practice recommendation would be to ingest logs into Cortex XDR using the broker VM syslog and collect the alerts and events from the Cortex XDR to SIEM solution via various possible and infrastructually supported means.</P> <P>&nbsp;</P> <P>Hope this answers your query.</P> <P>&nbsp;</P> <P>Please feel free to mark the response as "Accept as Solution" if it helps</P> Thu, 24 Aug 2023 14:25:14 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/integrate-the-bvm-server-with-siem/m-p/555073#M5032 neelrohit 2023-08-24T14:25:14Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/integrate-the-bvm-server-with-siem/m-p/555234#M5034 <P>yes,&nbsp;<SPAN>looking to&nbsp;</SPAN><SPAN>forward Cortex Agent logs from Broker VM to SIEM systems</SPAN></P> Fri, 25 Aug 2023 06:36:14 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/integrate-the-bvm-server-with-siem/m-p/555234#M5034 RamyashreeMada 2023-08-25T06:36:14Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/integrate-the-bvm-server-with-siem/m-p/555236#M5035 <P>Thank you for confirming.</P> <P>This is not possible. You cannot forward agent logs to SIEM using the broker VM.</P> <P>You can only forward notifications.<BR /><SPAN>For more details, please refer:&nbsp;</SPAN><A href="https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Integrate-a-Syslog-Receiver" target="_blank" rel="noopener nofollow noreferrer">Integrate A Syslog Reciever</A><SPAN>&nbsp;</SPAN></P> Fri, 25 Aug 2023 07:12:40 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/integrate-the-bvm-server-with-siem/m-p/555236#M5035 aspatil 2023-08-25T07:12:40Z