Linux Servers Integration Guide
Connectivity Requirements ⫘
Source | Destination | Port/Protocol |
---|---|---|
Linux server | Taegis™ XDR Collector (mgmt IP) | UDP/514 |
Data Provided from Integration ⫘
Auth | DHCP | DNS | File | HTTP | Management | Netflow | NIDS | Process | Thirdparty | |
---|---|---|---|---|---|---|---|---|---|---|
Non-Microsoft-based servers (processes like sudo/su/sshd/named) | D | D | Y |
Y = Normalized | D = Out-of-the-Box Detections | V = Vendor-Specific Detections
Note
XDR detectors are not guaranteed to be triggered, even if a data source's logs are normalized to a schema associated with a given detector. However, you can create Custom Alert Rules to generate alerts based on normalized data from a data source.
Logging Configuration Instructions ⫘
Linux servers must be configured to send logs — whether DNS, SSH, or sudo — via syslog to the XDR Collector.
Please refer to the vendor’s site for purchasing and configuration guidance.
An example of logging instructions:
Sample logs ⫘
Sudo:
Aug 21 18:03:26 ABC sudo[2479]: pam_vas: Authentication <ignored> for <Non-VAS> user: <sysmonpt> account: <> service: <sudo> reason: <>
SSH:
Aug 21 13:29:25 ABC-12345 sshd[12309]: Accepted password for srv_account from 10.118.1.66 port 29436 ssh2
DNS:
Apr 13 14:01:52 10.1.2.3 named[12133]: client 10.9.8.7#37299 (abc.l2.abc.org): query: abc.l2.qwerty.org IN A + (10.11.12.13)