# Palo Alto Networks Cortex XDR

Copy as Markdown[Open in ChatGPT](https://chatgpt.com/?q=Read%20https%3A%2F%2Fdocs-docusaurus.kinsta.page%2Fintegrations%2Fsecurity%2Fpalo-alto-network-cortex-xdr.md%20and%20help%20me%20with%20my%20question%20about%20this%20Coralogix%20documentation%20page.)[Open in Claude](https://claude.ai/new?q=Read%20https%3A%2F%2Fdocs-docusaurus.kinsta.page%2Fintegrations%2Fsecurity%2Fpalo-alto-network-cortex-xdr.md%20and%20help%20me%20with%20my%20question%20about%20this%20Coralogix%20documentation%20page.)

## Overview[​](#overview "Direct link to Overview")

This guide shows you how to ship Cortex XDR alerts and audit logs to Coralogix. Cortex XDR sends CEF-formatted events over syslog to a relay VM that runs the OpenTelemetry Collector, and the Collector forwards them to Coralogix over HTTPS using the Coralogix exporter.

Cortex XDR has two separate log-forwarding mechanisms. This guide covers the Syslog Receiver path only.

| Mechanism                                     | What it ships                                                                    | License                                                                                               | Transport                                                            |
| --------------------------------------------- | -------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------- |
| **Syslog Receiver** (Notification Forwarding) | Alerts, Agent Audit, Management Audit                                            | Included with Prevent / Pro                                                                           | Syslog (UDP, TCP, or TCP over TLS), CEF format                       |
| **Event Forwarding**                          | Raw endpoint EDR telemetry (process, network, file, registry, image-load events) | Separate paid license — sold as **EP Forwarding** (endpoint) and **GB Forwarding** (third-party data) | GCS bucket, line-delimited JSON `.gz` files, 14-day bucket retention |

If your requirement is to send raw endpoint telemetry — for example, every process execution on every endpoint — syslog does not deliver it. You need the Event Forwarding license and a GCS-pull ingestion pipeline instead.

## What you need[​](#what-you-need "Direct link to What you need")

* Admin access to your [Coralogix account](https://docs-docusaurus.kinsta.page/user-guides/account-management/user-management/teams/.md).
* Admin access to your Cortex XDR tenant.
* A Linux relay VM that meets the [minimum specs](#relay-vm-specs).
* A Coralogix [Send-Your-Data API key](https://docs-docusaurus.kinsta.page/user-guides/account-management/api-keys/send-your-data-api-key/.md).
* Inbound network access from Cortex XDR egress IPs to the relay VM on your chosen syslog port.
* Outbound HTTPS (port 443) from the relay VM to your [Coralogix domain](https://docs-docusaurus.kinsta.page/user-guides/account-management/account-settings/coralogix-domain/.md).

### Relay VM specs[​](#relay-vm-specs "Direct link to Relay VM specs")

Size the relay VM to match your expected log volume. These values are a baseline for moderate audit-log throughput.

| Resource | Baseline                                                                               |
| -------- | -------------------------------------------------------------------------------------- |
| OS       | Ubuntu 22.04 LTS, RHEL 9, or equivalent                                                |
| vCPU     | 2–4                                                                                    |
| RAM      | 4–8 GB                                                                                 |
| Disk     | 40 GB (collector binary, logs, on-disk spool)                                          |
| Network  | Inbound from Cortex XDR egress IPs on the syslog port; outbound HTTPS 443 to Coralogix |

## Architecture[​](#architecture "Direct link to Architecture")

<!-- -->

The Collector receives the CEF syslog stream from Cortex XDR, optionally parses or enriches it, and forwards it to Coralogix over HTTPS using the Coralogix exporter.

## Configure the syslog server in Cortex XDR[​](#configure-the-syslog-server-in-cortex-xdr "Direct link to Configure the syslog server in Cortex XDR")

**STEP 1.** In the Cortex XDR console, navigate to **Settings**, then **Configurations**, then **Data Management**, then **Notifications**, then **Syslog Servers**.

**STEP 2.** Select **+ Add Syslog Server** and provide:

* **Name**: a descriptive name for the server.
* **Destination**: the FQDN or IP of your relay VM.
* **Port**: the syslog port you plan to listen on (for example, `514` for plain TCP, `6514` for TCP over TLS).
* **Protocol**: TCP, UDP, or TCP over TLS.
* **Facility**: `LOG_USER` (default), or the facility your team uses.

**STEP 3.** If you selected TCP over TLS, upload the relay VM's public certificate.

**STEP 4.** Save the server, then select **Test**. Cortex XDR sends a test event. Do not proceed until the test packet reaches the VM. Verify with `tcpdump` or `nc -l` on the VM before you configure the Collector.

**STEP 5.** Return to **Notifications** and open **Notification Forwarding**. Route the event types you want to ship to the new syslog server:

* Alerts
* Agent Audit
* Management Audit

## Configure the OpenTelemetry Collector[​](#configure-the-opentelemetry-collector "Direct link to Configure the OpenTelemetry Collector")

### Install the Collector[​](#install-the-collector "Direct link to Install the Collector")

Install the OpenTelemetry Collector Contrib distribution on the relay VM. The following example is for Ubuntu; adapt it to your distribution.

```
wget https://github.com/open-telemetry/opentelemetry-collector-releases/releases/latest/download/otelcol-contrib_linux_amd64.deb

sudo dpkg -i otelcol-contrib_linux_amd64.deb

sudo systemctl enable otelcol-contrib
```

For other platforms or pinned versions, see the [OpenTelemetry Collector releases page](https://github.com/open-telemetry/opentelemetry-collector-releases/releases).

### Edit the config file[​](#edit-the-config-file "Direct link to Edit the config file")

The default config path is `/etc/otelcol-contrib/config.yaml`. Replace its contents with the following, substituting the values in angle brackets:

```
receivers:

  syslog:

    tcp:

      listen_address: "0.0.0.0:<port>"

    protocol: rfc5424

    location: UTC



exporters:

  coralogix:

    domain: "<coralogix-domain>"

    private_key: "<send-your-data-api-key>"

    application_name: "cortex-xdr"

    subsystem_name: "audit-logs"

    timeout: 30s



service:

  pipelines:

    logs:

      receivers: [syslog]

      exporters: [coralogix]
```

| Variable                   | Value                                                                                                                                            |
| -------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------ |
| `<port>`                   | The same port you set in **Add Syslog Server** in Cortex XDR.                                                                                    |
| `<coralogix-domain>`       | Your [Coralogix domain](https://docs-docusaurus.kinsta.page/user-guides/account-management/account-settings/coralogix-domain/.md).               |
| `<send-your-data-api-key>` | Your Coralogix [Send-Your-Data API key](https://docs-docusaurus.kinsta.page/user-guides/account-management/api-keys/send-your-data-api-key/.md). |

For TLS, add a `tls` block under `syslog.tcp` that points to your certificate and key files. See the [OpenTelemetry syslog receiver](https://github.com/open-telemetry/opentelemetry-collector-contrib/tree/main/receiver/syslogreceiver) docs for the full schema.

### Validate and start[​](#validate-and-start "Direct link to Validate and start")

Validate the config before restarting the service:

```
otelcol-contrib validate --config /etc/otelcol-contrib/config.yaml
```

Restart and confirm the service is running:

```
sudo systemctl restart otelcol-contrib

sudo systemctl status otelcol-contrib

sudo journalctl -u otelcol-contrib -f
```

## Verify the log flow[​](#verify-the-log-flow "Direct link to Verify the log flow")

**STEP 1.** On the relay VM, confirm syslog packets are arriving from Cortex XDR egress IPs:

```
sudo tcpdump -i <interface> port <syslog-port>
```

**STEP 2.** In Cortex XDR, trigger a test event from the syslog server entry, or generate a real alert.

**STEP 3.** In Coralogix, open **Logs**, then **Explore**, and run:

```
applicationName:cortex-xdr AND subsystemName:audit-logs
```

If events appear, the integration is working. If they do not, check the Collector logs with `journalctl -u otelcol-contrib -f` and confirm the VM's security group or firewall allows inbound traffic from Cortex XDR's egress IP range.

## Related resources[​](#related-resources "Direct link to Related resources")

* [Integrate a syslog receiver — Cortex XDR docs](https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-3.x-Documentation/Integrate-a-syslog-receiver)
* [Configure notification forwarding — Cortex XDR docs](https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-3.x-Documentation/Configure-notification-forwarding)
* [Log notification formats — Cortex XDR docs](https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-3.x-Documentation/Log-notification-formats)
* [OpenTelemetry syslog receiver](https://github.com/open-telemetry/opentelemetry-collector-contrib/tree/main/receiver/syslogreceiver)
* [Coralogix exporter for OpenTelemetry](https://github.com/open-telemetry/opentelemetry-collector-contrib/tree/main/exporter/coralogixexporter)
