How to configure rsyslog server to receive logs from Cortex XDR via TCP+SSL

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Content translations are temporarily unavailable due to site maintenance. We apologize for any inconvenience. Visit our blog to learn more.

How to configure rsyslog server to receive logs from Cortex XDR via TCP+SSL

L1 Bithead

Hi,

 

I am having issue with Cortex Log forwarding to syslog server where from Cortex XDR encountered error(can refer in the attachment named Cortex XDR error) as below.

 

Test failed: Connection timed out

 

I have check many times with our firewall team and when we check the firewall logs, we can see the traffic from cortex XDR coming thru the firewall and it is not being rejected. You can refer in the attachment for the firewall logs detail

 

From my syslog server config, i configure as below.

 

module(load="imuxsock" # provides support for local system logging (e.g. via logger command)
SysSock.Use="off") # Turn off message reception via local log socket;
# local messages are retrieved through imjournal now.
module(load="imjournal" # provides access to the systemd journal
UsePid="system" # PID nummber is retrieved as the ID of the process the journal entry originates from
FileCreateMode="0644" # Set the access permissions for the state file
StateFile="imjournal.state") # File to store the position in the journal
#module(load="imklog") # reads kernel messages (the same are read from journald)
#module(load="immark") # provides --MARK-- message capability

# Include all config files in /etc/rsyslog.d/
include(file="/etc/rsyslog.d/*.conf" mode="optional")

# Provides UDP syslog reception
# for parameters see http://www.rsyslog.com/doc/imudp.html
#module(load="imudp") # needs to be done just once
#input(type="imudp" port="514")

# Provides TCP syslog reception
# for parameters see http://www.rsyslog.com/doc/imtcp.html
module(load="imptcp" Threads="2") # needs to be done just once
input(type="imptcp" port="514")


#Make glts driver the default and set certificate files
global(
DefaultNetstreamDriver="gtls"
DefaultNetstreamDriverCAFile="/etc/rsyslog.d/keys/ca.pem"
DefaultNetstreamDriverCertFile="/etc/rsyslog.d/keys/server-cert.pem"
DefaultNetstreamDriverKeyFile="/etc/rsyslog.d/keys/server-key.pem"
)

module(load="imtcp" StreamDriver.Name="gtls" StreamDriver.Mode="1" StreamDriver.Authmode="x509/name")
$InputTCPServerRun 6514

 

Then, at cortex XDR side, i just send a copy of ca.pem and uploaded it into syslog server configuration.

 

Seek your advise whether i am performing the correct steps or not for the above syslog configuration.

 

Thanks.

1 REPLY 1

L1 Bithead

Forgot to inform. Our Log integration flow is as below. At LB, we have allowed the port TCP6514 and same goes to syslog server side. Also, there was no error on the rsyslog configuration in  syslog server.

Cortex XDR > Load Balancer (NAT IP address) > Syslog Server

  • 351 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!