https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/broker-vm-syslog-applet/m-p/1240221#M8805 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/190764">@eluis</a>&nbsp;</P> <P>&nbsp;</P> <P>1. Iam trying to get the logs of linux server , the unknown_unknown_raw data set itself not getting created.<BR /><BR /></P> <P>2. For IBM guardium log are configured to send in leef format&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="PBalan_0-1760687684538.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/69614i115B12B9683B4272/image-size/medium?v=v2&amp;px=400" role="button" title="PBalan_0-1760687684538.png" alt="PBalan_0-1760687684538.png" /></span></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="PBalan_1-1760687738380.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/69615i49D01743CF89EE22/image-size/medium?v=v2&amp;px=400" role="button" title="PBalan_1-1760687738380.png" alt="PBalan_1-1760687738380.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> Fri, 17 Oct 2025 07:56:06 GMT P.Balan 2025-10-17T07:56:06Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/broker-vm-syslog-applet/m-p/1240124#M8798 <P>Hi All,</P> <P>&nbsp;</P> <P>We have deployed broker vm and enabled syslog applet and configured the broker vm ip as remote host in one of our linux server and IBM guardium database activity monitoring tool but we are unable to see the logs in the console.<BR /><BR />unkonwn_unknown_raw data not getting created , but when checked tcp dump in broker vm log received by the broker vm.</P> <P>&nbsp;</P> <P>kindly let us know how to torubleshoot the issus</P> Thu, 16 Oct 2025 06:29:57 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/broker-vm-syslog-applet/m-p/1240124#M8798 P.Balan 2025-10-16T06:29:57Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/broker-vm-syslog-applet/m-p/1240166#M8802 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/1227665047">@P.Balan</a>&nbsp;</P> <P>&nbsp;</P> <P>If your log sources are able to produce LEEF or CEF logs, please configure such.&nbsp;<BR />Broker vm syslog applet will identify the vendor and will store the logs at a dataset with the vendor and model name of the device. It might be what is happening and you are looking to the wrong dataset =?&nbsp;</P> <P>&nbsp;</P> <P>If Broker is receiving logs, it should store them. Everyting that is not known will go to unknown_unknown _raw dataset what can create a mix of many different log sources altogether&nbsp;</P> <P>&nbsp;</P> <P>If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution".&nbsp;</P> <P>Thank you.</P> <P>Luis&nbsp;</P> <P>&nbsp;</P> Thu, 16 Oct 2025 15:42:44 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/broker-vm-syslog-applet/m-p/1240166#M8802 eluis 2025-10-16T15:42:44Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/broker-vm-syslog-applet/m-p/1240221#M8805 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/190764">@eluis</a>&nbsp;</P> <P>&nbsp;</P> <P>1. Iam trying to get the logs of linux server , the unknown_unknown_raw data set itself not getting created.<BR /><BR /></P> <P>2. For IBM guardium log are configured to send in leef format&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="PBalan_0-1760687684538.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/69614i115B12B9683B4272/image-size/medium?v=v2&amp;px=400" role="button" title="PBalan_0-1760687684538.png" alt="PBalan_0-1760687684538.png" /></span></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="PBalan_1-1760687738380.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/69615i49D01743CF89EE22/image-size/medium?v=v2&amp;px=400" role="button" title="PBalan_1-1760687738380.png" alt="PBalan_1-1760687738380.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> Fri, 17 Oct 2025 07:56:06 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/broker-vm-syslog-applet/m-p/1240221#M8805 P.Balan 2025-10-17T07:56:06Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/broker-vm-syslog-applet/m-p/1240306#M8808 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/1227665047">@P.Balan</a>&nbsp;</P> <P>&nbsp;</P> <P>If LEEF / CEF is working properly, you should get the IBM product and model identified so the dataset name should be like:<BR />IBM_IbmDeviceProductModel_raw</P> <P>&nbsp;</P> <P>Check if in cogwheel settings configuration dataset management you have something like that. Even if the logs are not parsed, they should be put into unknown_unknown_raw</P> <P>&nbsp;</P> <P>Might be that IBM is sending logs not in LEEF ? can you try with CEF ? Both formats should be parsed since are standard logs we understand. = Issue at IBM side generating log in those formats?</P> <P>&nbsp;</P> <P>If not open a TAC support case since this is a bug-fix that needs to be handled</P> <P>&nbsp;</P> <P>If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution".&nbsp;</P> <P>Thank you.</P> <P>Luis&nbsp;</P> <P>&nbsp;</P> Mon, 20 Oct 2025 14:19:05 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/broker-vm-syslog-applet/m-p/1240306#M8808 eluis 2025-10-20T14:19:05Z