☰

🌙☀

Subscribe to the Taegis™ XDR Documentation RSS Feed at .

Learn more about RSS readers or RSS browser extensions.

Taegis Docs Home
About XDR
Get Started
- Get Started with XDR
- Top 5 Tasks
Integrate with XDR
- Integration Overview
- Data Source Integration Definitions
- All Available Integrations
- Add Data Collectors
- Add Endpoint Agents
- Forward Data to XDR
- Create Custom Parsers
  - Overview
  - Syntax
  - Repeating Fields
  - Overriding and Extending Global Parsers
  - Supported Schemas
  - All Schemas
    - Antivirus
    - Auth
    - CloudAudit
    - DHCP
    - DNS
    - Email
    - Encrypt
    - FileMod
    - HTTP
    - Management Event
    - Netflow
    - NIDS
    - Process
    - Registry
    - Thirdparty
    - Types
Manage Integrations
Alerts, Events, and Investigations
- Alerts
- Events
- Investigations
- CyberChef
Dashboards
Search and Reports
- Search
- Reports
Automation
- Automation Overview
- Supported Playbooks
- Supported Connectors
- Playbooks
- Connectors
- Automation Authoring
  - Building Connector Definitions
  - Building Playbook Templates
  - Common Expression Language (CEL)
Threat Intelligence, Hunting, and Detection
- Threat Intelligence
- Threat Hunting
  - Hunting with Jupyter Notebooks
- Detectors
- Adversary Software Coverage
  - Adversary Software Coverage
  - Frequently Asked Questions
XDR Admin
- Your Account
- Tenant Settings
APIs, SDK, and Magic
- Using XDR GraphQL APIs
- API Authentication
- XDR Python SDK
- Taegis Magic Jupyter Integration
  - Overview
- Alerts API
  - Using the Alerts API
  - Alerts GraphQL API
- Assets API
- Audits API
  - Using the Audits API
  - Audits GraphQL API
- Automations APIs
- Bring Your Own Threat Intelligence API
  - Using the BYOTI API
  - BYOTI GraphQL API
- Collector APIs
- Investigations API
  - Using the Investigations API
  - Investigations GraphQL API
- Threat Intelligence API
  - Using the Threat Intelligence API
  - Threat Intelligence GraphQL API
- Using the Users GraphQL API
- Using the Tenants GraphQL API
- Using the Countermeasures API
- Using the File Upload API
Secureworks Products, Services, and Policies
- Managed iSensor
- ManagedXDR
- ManagedXDR Elite
  - Service Description
  - Onboarding Guide
- ManagedXDR for OT
- ManagedXDR Enhanced
  - Service Description
  - Onboarding Guide
- ManagedXDR–Managed iSensor Add-on
- Secureworks Professional Services
- Legal

Linux Servers Integration Guide

integrations endpoints linux

Connectivity Requirements ⫘

Source	Destination	Port/Protocol
Linux server	Taegis™ XDR Collector (mgmt IP)	UDP/514

Data Provided from Integration ⫘

	Auth	DHCP	DNS	File	HTTP	Management	Netflow	NIDS	Process	Thirdparty
Non-Microsoft-based servers (processes like sudo/su/sshd/named)	D		D			Y

Y = Normalized | D = Out-of-the-Box Detections | V = Vendor-Specific Detections

Note

XDR detectors are not guaranteed to be triggered, even if a data source's logs are normalized to a schema associated with a given detector. However, you can create Custom Alert Rules to generate alerts based on normalized data from a data source.

Logging Configuration Instructions ⫘

Linux servers must be configured to send logs — whether DNS, SSH, or sudo — via syslog to the XDR Collector.

Please refer to the vendor’s site for purchasing and configuration guidance.

An example of logging instructions:

Sample logs ⫘

Sudo:

Aug 21 18:03:26 ABC sudo[2479]: pam_vas: Authentication <ignored> for <Non-VAS> user: <sysmonpt> account: <> service: <sudo> reason: <>

SSH:

Aug 21 13:29:25 ABC-12345 sshd[12309]: Accepted password for srv_account from 10.118.1.66 port 29436 ssh2

DNS:

Apr 13 14:01:52 10.1.2.3 named[12133]: client 10.9.8.7#37299 (abc.l2.abc.org): query: abc.l2.qwerty.org IN A + (10.11.12.13)

On this page:

Connectivity Requirements
Data Provided from Integration
Logging Configuration Instructions
Sample logs