For November 2020, Cortex Data Lake has some new features that we would like to tell you about.
Log forwarding is the biggest part of the November 2020 release, along with Log filtering and LEEF format support.
Please see the list below for the details.
New Cortex Data Lake features *
Log Forwarding Integration
You can now forward logs from within the Cortex Data Lake app, enabling you to conveniently manage onboarding, storage, and log transmission in a single application. In moving to the Cortex Data Lake app, the log forwarding interface now has a new, simplified design that makes it easier to begin configuring Syslog and email profiles to forward your Cortex Data Lake log data.
Log Filter Query Support
When creating your log forwarding profiles in Cortex Data Lake, you can now use the same query language from Explore to define precise log filters based on time, device serial number, IP address, and more.
LEEF Format Support for IBM QRadar
You can now forward logs in Log Extended Event Format (LEEF) for use with IBM QRadar SIEM.
Combined Log Types
To simplify the list of available log types for log forwarding, thetunnellog type now includesGTPlogs, andThreat logs now includeWildFirelogs.
Because log forwarding profiles can only include one filter per log type, if you had a log forwarding profile with a log filter for both of the formerly separate log types, you will now see a new log forwarding profile. This profile contains the log filter that could not be duplicated in the original profile.
For example, a log forwarding profile with filters for bothtunnelandGTPlogs now appears as two profiles, each with a
tunnelfilter. One of the profiles will continue filteringtunnellogs and the other will filterGTPlogs, which are now included in tunnel logs. The new profile will be called<original name> - GTPor, in the case of
ThreatandWildFire,<original name> - WildFire.
Non-Editable Log Forwarding Filters
Some log filters created in the previous Log Forwarding app can no longer be edited. If you would like to change such filters, you must delete them and create new ones.
Because some fields in the migrated filters are no longer available, you may not be able to recreate an identical filter if you delete it.