Cortex XDR Management Audit Logs CEF Format

[bharathkumarnec]

Hi Team,
We are getting logs from Cortex XDR with CEF format using syslog and seems this app is not yet supporting this format, is it correct or am i missing something?

https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/logs/cortex-xdr-log-notification-formats/management-audit-log-notification-format.html

Regards,
BK

[btorresgil]

Hi @bharathkumarnec, thanks for your question. The Splunk App/Add-on supports Cortex XDR data using the XDR API only. It doesn't support syslog and there are currently no plans to add syslog. Here are the directions for setting it up: https://splunk.paloaltonetworks.com/cortex-xdr.html

The App/Add-on will not support logs from any product in CEF format, because CEF requires extensive regex parsing to do field extraction in Splunk, and we try to offer more optimized ways to parse logs (CSV, JSON, etc). Hope that helps!

[bharathkumarnec]

Thanks @btorresgil! Clear!

[EUmbach]

Hi @bharathkumarnec, thanks for your question. The Splunk App/Add-on supports Cortex XDR data using the XDR API only. It doesn't support syslog and there are currently no plans to add syslog. Here are the directions for setting it up: https://splunk.paloaltonetworks.com/cortex-xdr.html

The App/Add-on will not support logs from any product in CEF format, because CEF requires extensive regex parsing to do field extraction in Splunk, and we try to offer more optimized ways to parse logs (CSV, JSON, etc). Hope that helps!

@btorresgil
Think you need to read the linked documentation. You have taken out the transforms and props needed for auditing. This is linked directly in the XDR documentation and is a supported feature of XDR. so "No plans to support it" needs to be corrected as it is built into the Product.

https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/logs/integrate-a-syslog-receiver-for-outbound-notifications.html