## Overview
This guide shows you how to ship Cortex XDR alerts and audit logs to Coralogix. Cortex XDR sends CEF-formatted events over syslog to a relay VM that runs the OpenTelemetry Collector, and the Collector forwards them to Coralogix over HTTPS using the Coralogix exporter.
Cortex XDR has two separate log-forwarding mechanisms. This guide covers the Syslog Receiver path only.
| Mechanism | What it ships | License | Transport |
| --------------------------------------------- | -------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------- |
| **Syslog Receiver** (Notification Forwarding) | Alerts, Agent Audit, Management Audit | Included with Prevent / Pro | Syslog (UDP, TCP, or TCP over TLS), CEF format |
| **Event Forwarding** | Raw endpoint EDR telemetry (process, network, file, registry, image-load events) | Separate paid license — sold as **EP Forwarding** (endpoint) and **GB Forwarding** (third-party data) | GCS bucket, line-delimited JSON `.gz` files, 14-day bucket retention |
If your requirement is to send raw endpoint telemetry — for example, every process execution on every endpoint — syslog does not deliver it. You need the Event Forwarding license and a GCS-pull ingestion pipeline instead.
## What you need
- Admin access to your [Coralogix account](https://coralogix.com/docs/user-guides/account-management/user-management/teams/index.md).
- Admin access to your Cortex XDR tenant.
- A Linux relay VM that meets the [minimum specs](#relay-vm-specs).
- A Coralogix [Send-Your-Data API key](https://coralogix.com/docs/user-guides/account-management/api-keys/send-your-data-api-key/index.md).
- Inbound network access from Cortex XDR egress IPs to the relay VM on your chosen syslog port.
- Outbound HTTPS (port 443) from the relay VM to your [Coralogix domain](https://coralogix.com/docs/user-guides/account-management/account-settings/coralogix-domain/index.md).
### Relay VM specs
Size the relay VM to match your expected log volume. These values are a baseline for moderate audit-log throughput.
| Resource | Baseline |
| -------- | -------------------------------------------------------------------------------------- |
| OS | Ubuntu 22.04 LTS, RHEL 9, or equivalent |
| vCPU | 2–4 |
| RAM | 4–8 GB |
| Disk | 40 GB (collector binary, logs, on-disk spool) |
| Network | Inbound from Cortex XDR egress IPs on the syslog port; outbound HTTPS 443 to Coralogix |
## Architecture
```
flowchart LR
A[Cortex XDR] -->|"CEF over syslog
(TCP/UDP/TLS)"| B[OpenTelemetry Collector relay VM]
B -->|HTTPS| C[Coralogix]
class A entry
class C success
```
The Collector receives the CEF syslog stream from Cortex XDR, optionally parses or enriches it, and forwards it to Coralogix over HTTPS using the Coralogix exporter.
## Configure the syslog server in Cortex XDR
**STEP 1.** In the Cortex XDR console, navigate to **Settings**, then **Configurations**, then **Data Management**, then **Notifications**, then **Syslog Servers**.
**STEP 2.** Select **+ Add Syslog Server** and provide:
- **Name**: a descriptive name for the server.
- **Destination**: the FQDN or IP of your relay VM.
- **Port**: the syslog port you plan to listen on (for example, `514` for plain TCP, `6514` for TCP over TLS).
- **Protocol**: TCP, UDP, or TCP over TLS.
- **Facility**: `LOG_USER` (default), or the facility your team uses.
**STEP 3.** If you selected TCP over TLS, upload the relay VM's public certificate.
**STEP 4.** Save the server, then select **Test**. Cortex XDR sends a test event. Do not proceed until the test packet reaches the VM. Verify with `tcpdump` or `nc -l` on the VM before you configure the Collector.
**STEP 5.** Return to **Notifications** and open **Notification Forwarding**. Route the event types you want to ship to the new syslog server:
- Alerts
- Agent Audit
- Management Audit
## Configure the OpenTelemetry Collector
### Install the Collector
Install the OpenTelemetry Collector Contrib distribution on the relay VM. The following example is for Ubuntu; adapt it to your distribution.
```bash
wget https://github.com/open-telemetry/opentelemetry-collector-releases/releases/latest/download/otelcol-contrib_linux_amd64.deb
sudo dpkg -i otelcol-contrib_linux_amd64.deb
sudo systemctl enable otelcol-contrib
```
For other platforms or pinned versions, see the [OpenTelemetry Collector releases page](https://github.com/open-telemetry/opentelemetry-collector-releases/releases).
### Edit the config file
The default config path is `/etc/otelcol-contrib/config.yaml`. Replace its contents with the following, substituting the values in angle brackets:
```yaml
receivers:
syslog:
tcp:
listen_address: "0.0.0.0:"
protocol: rfc5424
location: UTC
exporters:
coralogix:
domain: ""
private_key: ""
application_name: "cortex-xdr"
subsystem_name: "audit-logs"
timeout: 30s
service:
pipelines:
logs:
receivers: [syslog]
exporters: [coralogix]
```
| Variable | Value |
| -------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------- |
| `` | The same port you set in **Add Syslog Server** in Cortex XDR. |
| `` | Your [Coralogix domain](https://coralogix.com/docs/user-guides/account-management/account-settings/coralogix-domain/index.md). |
| `` | Your Coralogix [Send-Your-Data API key](https://coralogix.com/docs/user-guides/account-management/api-keys/send-your-data-api-key/index.md). |
For TLS, add a `tls` block under `syslog.tcp` that points to your certificate and key files. See the [OpenTelemetry syslog receiver](https://github.com/open-telemetry/opentelemetry-collector-contrib/tree/main/receiver/syslogreceiver) docs for the full schema.
### Validate and start
Validate the config before restarting the service:
```bash
otelcol-contrib validate --config /etc/otelcol-contrib/config.yaml
```
Restart and confirm the service is running:
```bash
sudo systemctl restart otelcol-contrib
sudo systemctl status otelcol-contrib
sudo journalctl -u otelcol-contrib -f
```
## Verify the log flow
**STEP 1.** On the relay VM, confirm syslog packets are arriving from Cortex XDR egress IPs:
```bash
sudo tcpdump -i port
```
**STEP 2.** In Cortex XDR, trigger a test event from the syslog server entry, or generate a real alert.
**STEP 3.** In Coralogix, open **Logs**, then **Explore**, and run:
```text
applicationName:cortex-xdr AND subsystemName:audit-logs
```
If events appear, the integration is working. If they do not, check the Collector logs with `journalctl -u otelcol-contrib -f` and confirm the VM's security group or firewall allows inbound traffic from Cortex XDR's egress IP range.
## Related resources
- [Integrate a syslog receiver — Cortex XDR docs](https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-3.x-Documentation/Integrate-a-syslog-receiver)
- [Configure notification forwarding — Cortex XDR docs](https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-3.x-Documentation/Configure-notification-forwarding)
- [Log notification formats — Cortex XDR docs](https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-3.x-Documentation/Log-notification-formats)
- [OpenTelemetry syslog receiver](https://github.com/open-telemetry/opentelemetry-collector-contrib/tree/main/receiver/syslogreceiver)
- [Coralogix exporter for OpenTelemetry](https://github.com/open-telemetry/opentelemetry-collector-contrib/tree/main/exporter/coralogixexporter)