11-29-2024 05:57 AM
Hi,
I am having issue with Cortex Log forwarding to syslog server where from Cortex XDR encountered error(can refer in the attachment named Cortex XDR error) as below.
Test failed: Connection timed out
I have check many times with our firewall team and when we check the firewall logs, we can see the traffic from cortex XDR coming thru the firewall and it is not being rejected. You can refer in the attachment for the firewall logs detail
From my syslog server config, i configure as below.
module(load="imuxsock" # provides support for local system logging (e.g. via logger command)
SysSock.Use="off") # Turn off message reception via local log socket;
# local messages are retrieved through imjournal now.
module(load="imjournal" # provides access to the systemd journal
UsePid="system" # PID nummber is retrieved as the ID of the process the journal entry originates from
FileCreateMode="0644" # Set the access permissions for the state file
StateFile="imjournal.state") # File to store the position in the journal
#module(load="imklog") # reads kernel messages (the same are read from journald)
#module(load="immark") # provides --MARK-- message capability
# Include all config files in /etc/rsyslog.d/
include(file="/etc/rsyslog.d/*.conf" mode="optional")
# Provides UDP syslog reception
# for parameters see http://www.rsyslog.com/doc/imudp.html
#module(load="imudp") # needs to be done just once
#input(type="imudp" port="514")
# Provides TCP syslog reception
# for parameters see http://www.rsyslog.com/doc/imtcp.html
module(load="imptcp" Threads="2") # needs to be done just once
input(type="imptcp" port="514")
#Make glts driver the default and set certificate files
global(
DefaultNetstreamDriver="gtls"
DefaultNetstreamDriverCAFile="/etc/rsyslog.d/keys/ca.pem"
DefaultNetstreamDriverCertFile="/etc/rsyslog.d/keys/server-cert.pem"
DefaultNetstreamDriverKeyFile="/etc/rsyslog.d/keys/server-key.pem"
)
module(load="imtcp" StreamDriver.Name="gtls" StreamDriver.Mode="1" StreamDriver.Authmode="x509/name")
$InputTCPServerRun 6514
Then, at cortex XDR side, i just send a copy of ca.pem and uploaded it into syslog server configuration.
Seek your advise whether i am performing the correct steps or not for the above syslog configuration.
Thanks.
11-29-2024 06:03 AM
Forgot to inform. Our Log integration flow is as below. At LB, we have allowed the port TCP6514 and same goes to syslog server side. Also, there was no error on the rsyslog configuration in syslog server.
Cortex XDR > Load Balancer (NAT IP address) > Syslog Server
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
