Palo Alto Networks Cortex XDR
Overview
This guide shows you how to ship Cortex XDR alerts and audit logs to Coralogix. Cortex XDR sends CEF-formatted events over syslog to a relay VM that runs the OpenTelemetry Collector, and the Collector forwards them to Coralogix over HTTPS using the Coralogix exporter.
Cortex XDR has two separate log-forwarding mechanisms. This guide covers the Syslog Receiver path only.
| Mechanism | What it ships | License | Transport |
|---|---|---|---|
| Syslog Receiver (Notification Forwarding) | Alerts, Agent Audit, Management Audit | Included with Prevent / Pro | Syslog (UDP, TCP, or TCP over TLS), CEF format |
| Event Forwarding | Raw endpoint EDR telemetry (process, network, file, registry, image-load events) | Separate paid license — sold as EP Forwarding (endpoint) and GB Forwarding (third-party data) | GCS bucket, line-delimited JSON .gz files, 14-day bucket retention |
If your requirement is to send raw endpoint telemetry — for example, every process execution on every endpoint — syslog does not deliver it. You need the Event Forwarding license and a GCS-pull ingestion pipeline instead.
What you need
- Admin access to your Coralogix account.
- Admin access to your Cortex XDR tenant.
- A Linux relay VM that meets the minimum specs.
- A Coralogix Send-Your-Data API key.
- Inbound network access from Cortex XDR egress IPs to the relay VM on your chosen syslog port.
- Outbound HTTPS (port 443) from the relay VM to your Coralogix domain.
Relay VM specs
Size the relay VM to match your expected log volume. These values are a baseline for moderate audit-log throughput.
| Resource | Baseline |
|---|---|
| OS | Ubuntu 22.04 LTS, RHEL 9, or equivalent |
| vCPU | 2–4 |
| RAM | 4–8 GB |
| Disk | 40 GB (collector binary, logs, on-disk spool) |
| Network | Inbound from Cortex XDR egress IPs on the syslog port; outbound HTTPS 443 to Coralogix |
Architecture
flowchart LR
A[Cortex XDR] -->|"CEF over syslog<br>(TCP/UDP/TLS)"| B[OpenTelemetry Collector<br>relay VM]
B -->|HTTPS| C[Coralogix]The Collector receives the CEF syslog stream from Cortex XDR, optionally parses or enriches it, and forwards it to Coralogix over HTTPS using the Coralogix exporter.
Configure the syslog server in Cortex XDR
STEP 1. In the Cortex XDR console, navigate to Settings, then Configurations, then Data Management, then Notifications, then Syslog Servers.
STEP 2. Select + Add Syslog Server and provide:
- Name: a descriptive name for the server.
- Destination: the FQDN or IP of your relay VM.
- Port: the syslog port you plan to listen on (for example,
514for plain TCP,6514for TCP over TLS). - Protocol: TCP, UDP, or TCP over TLS.
- Facility:
LOG_USER(default), or the facility your team uses.
STEP 3. If you selected TCP over TLS, upload the relay VM's public certificate.
STEP 4. Save the server, then select Test. Cortex XDR sends a test event. Do not proceed until the test packet reaches the VM. Verify with tcpdump or nc -l on the VM before you configure the Collector.
STEP 5. Return to Notifications and open Notification Forwarding. Route the event types you want to ship to the new syslog server:
- Alerts
- Agent Audit
- Management Audit
Configure the OpenTelemetry Collector
Install the Collector
Install the OpenTelemetry Collector Contrib distribution on the relay VM. The following example is for Ubuntu; adapt it to your distribution.
wget https://github.com/open-telemetry/opentelemetry-collector-releases/releases/latest/download/otelcol-contrib_linux_amd64.deb
sudo dpkg -i otelcol-contrib_linux_amd64.deb
sudo systemctl enable otelcol-contrib
For other platforms or pinned versions, see the OpenTelemetry Collector releases page.
Edit the config file
The default config path is /etc/otelcol-contrib/config.yaml. Replace its contents with the following, substituting the values in angle brackets:
receivers:
syslog:
tcp:
listen_address: "0.0.0.0:<port>"
protocol: rfc5424
location: UTC
exporters:
coralogix:
domain: "<coralogix-domain>"
private_key: "<send-your-data-api-key>"
application_name: "cortex-xdr"
subsystem_name: "audit-logs"
timeout: 30s
service:
pipelines:
logs:
receivers: [syslog]
exporters: [coralogix]
| Variable | Value |
|---|---|
<port> | The same port you set in Add Syslog Server in Cortex XDR. |
<coralogix-domain> | Your Coralogix domain. |
<send-your-data-api-key> | Your Coralogix Send-Your-Data API key. |
For TLS, add a tls block under syslog.tcp that points to your certificate and key files. See the OpenTelemetry syslog receiver docs for the full schema.
Validate and start
Validate the config before restarting the service:
Restart and confirm the service is running:
sudo systemctl restart otelcol-contrib
sudo systemctl status otelcol-contrib
sudo journalctl -u otelcol-contrib -f
Verify the log flow
STEP 1. On the relay VM, confirm syslog packets are arriving from Cortex XDR egress IPs:
STEP 2. In Cortex XDR, trigger a test event from the syslog server entry, or generate a real alert.
STEP 3. In Coralogix, open Logs, then Explore, and run:
If events appear, the integration is working. If they do not, check the Collector logs with journalctl -u otelcol-contrib -f and confirm the VM's security group or firewall allows inbound traffic from Cortex XDR's egress IP range.
Related resources
- Integrate a syslog receiver — Cortex XDR docs
- Configure notification forwarding — Cortex XDR docs
- Log notification formats — Cortex XDR docs
- OpenTelemetry syslog receiver
- Coralogix exporter for OpenTelemetry