Skip to main content

Linux Events Collection

Linux is an operating system for servers, desktops, cloud, and IoTs

Linux Events Collection

Collector Configuration

Use one of the following options to collect Linux events into Cortex XSIAM:

After the Cortex XSIAM collector starts ingesting logs from the Linux servers, you can query the logs under the linux_linux_raw dataset.

Broker VM

Prerequisites

You need to set and configure a Broker VM. For more information, see Broker VM.

Configuration Steps


  1. Navigate to SettingsConfigurationData BrokerBroker VMs.

  2. Go to the APPS column under the Brokers tab and add the Syslog app for the relevant broker instance. If the Syslog app already exists, hover over it and click Configure.

  3. Click Add New.

  4. When configuring the Syslog Collector, set the following parameters:

    Parameter Value
    Vendor linux.
    Product linux.

XDRC (XDR Collector)

Configuration Steps

Follow the steps bellow for configuring an XDR Collector:

  1. Create an XDR Collector installation package as described here.
  2. Install the XDR Collector installation package for Linux on the requested Linux servers as described here.
  3. Configure an XDR Collector Filebeat profile for the requested linux servers as described here.
    • When configuring the Filebeat YAML configuration file, use the LinuxEventCollection template as a reference: LinuxEventCollection Filebeat Template
      • Customize the paths parameter in accordance to the requested log files for collection: ```yaml filebeat.inputs:
        • type: filestream enabled: true paths: # customize paths as necessary
          • /var/log/syslog
          • /var/log/auth.log
          • /var/log/messages
          • /var/log/secure
            processors:
          • add_fields:
            fields:
            vendor: linux
            product: linux
            ```
  4. Apply the configured Filebeat profile to the requested target Linux servers by attaching it to a policy as described here.

Supported Timestamp formats

Broker VM Syslog
  • RFC 3164 compatible timestamps, in UTC, for example: Oct 8 19:44:40.
    Note:
    You can run the following command on the relevant Linux servers to configure their timezone to UTC:
    bash sudo timedatectl set-timezone UTC
  • RFC 3339 and ISO 8601 compatible like timestamps. Examples:
    • 2024-10-28T14:30:55Z
    • 2024-10-28T14:30:55-0300
    • 2024-10-28T14:30:55-03:00
    • 2024-10-28 14:30:55.123+0300
    • 2024-10-28 14:30:55.123+03:00
Filebeat XDR Collector
  • RFC 3339 and ISO 8601 compatible like timestamps. Examples:
    • 2024-10-28T14:30:55Z
    • 2024-10-28T14:30:55-0300
    • 2024-10-28T14:30:55-03:00
    • 2024-10-28 14:30:55.123+0300
    • 2024-10-28 14:30:55.123+03:00

Note:
Event logs collected via Filebeat with timestamp formats other than those listed above are assigned the agent collection time.

PUBLISHER

PLATFORMS

Cortex XSIAM

INFO

CertificationRead more
Supported ByCortex
CreatedJune 10, 2022
Last ReleaseNovember 7, 2024
DISCLAIMER
Content packs are licensed by the Publisher identified above and subject to the Publisher’s own licensing terms. Palo Alto Networks is not liable for and does not warrant or support any content pack produced by a third-party Publisher, whether or not such packs are designated as “Palo Alto Networks-certified” or otherwise. For more information, see the Marketplace documentation.