Thought I would give livecommunity a shot on this. We have been looking into integrating several Cortex XDR instances into a single QRadar instance but have come across an issue where it does not seem to let us change the syslog identifier name on any of them. This leads to a problem distinguishing the different XDR tenants from each other as they are all showing up with cortexxdr as the identifier.
All the XDR forwarding will be done over Syslog TLS.
Normally, when configuring syslog for other services we are able to change this, but that does not seem to be the case for XDR. But then again, we have not worked that much with XDR so hoping someone might have found a way of solving this.
Anyone had any luck implementing multiple XDR instances into their SIEM tool through syslog?
Edit: Think we may have found a way of doing this, without involving a new server with rsyslog or similar. Will feedback if it works.
Please let me know if your approach does not work at which time I'd like to gather a little more info to take to Product Management.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!