03-21-2022 10:39 PM
Hi
Anyone successfully ingest logs from Cisco ISE to Cortex XDR via syslog?
I've activated the syslog collector of broker VM for TCP514 and format set to auto detect, following this documentation, and configured the Cisco ISE to forward the logs to broker VM accordingly.
However, when I hover over the Syslog Collector link in the Apps field of the broker VM, the metrices of Syslog Collector is always 0 logs/s for logs received or logs sent, see screenshots for detail.
Any guidance if I missed anything?
Are there any methods to verify the syslog is ingesting to Cortex XDR properly?
Thanks.
03-23-2022 11:57 PM
Hi
Hi
Thanks for the update.
Yes, I need to confirm Cisco ISE syslog format, which I missed it earlier.
03-24-2022 12:09 AM
Hi
Thanks for the update.
I believe the Cisco ISE syslog format may not be CEF or LEEF formatted and need to create necessary parsing rules.
For broker vm is configured to listen to TCP514 and firewall enabled to allow broker vm IP with TCP514.
03-23-2022 01:55 PM
Hi @weejh I suggest to by confirming the CISCO ISE Syslog format. Cortex XDR can receive Syslog from vendors that use CEF or LEEF formatted over Syslog (TLS not supported). You may reference the external data ingestion vendor support for additional details on log/data types and vendor support (E.g. custom external sources).
03-23-2022 03:44 PM
In case that your Cisco is not sending CEF or LEEF, you could still parse the logs so that xdr will, so to say, "understand" them.
https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/data-management/create-pars...
I would also check how are you sending them and how is broker vm listening to them. Meaning as WSeldenIII pointed (TLS is not supported), which port are you using ? standard 514 port for syslog ? tcp/udp (confirmed/unconfirmed). Check also that no Fw is dropping your traffic and that cisco can reach broker vm (network routes, etc...)
03-23-2022 11:57 PM
Hi
Hi
Thanks for the update.
Yes, I need to confirm Cisco ISE syslog format, which I missed it earlier.
03-24-2022 12:09 AM
Hi
Thanks for the update.
I believe the Cisco ISE syslog format may not be CEF or LEEF formatted and need to create necessary parsing rules.
For broker vm is configured to listen to TCP514 and firewall enabled to allow broker vm IP with TCP514.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
