Linux Servers Integration Guide🔗
Connectivity Requirements🔗
| Source | Destination | Port/Protocol |
|---|---|---|
| Linux server | Taegis™ XDR Collector (mgmt IP) | UDP/514 |
Data Provided from Integration🔗
| Normalized Data | Out-of-the-Box Detections | Vendor-Specific Detections | |
|---|---|---|---|
| Non-Microsoft-based servers (processes like sudo/su/sshd/named) | Management | Auth, DNS |
Note
XDR detectors are not guaranteed to be triggered, even if a data source's logs are normalized to a schema associated with a given detector. However, you can create Custom Alert Rules to generate alerts based on normalized data from a data source.
Logging Configuration Instructions🔗
Linux servers must be configured to send logs — whether DNS, SSH, or sudo — via syslog to the XDR Collector.
Please refer to the vendor’s site for purchasing and configuration guidance.
An example of logging instructions:
Sample logs🔗
Sudo:
Aug 21 18:03:26 ABC sudo[2479]: pam_vas: Authentication <ignored> for <Non-VAS> user: <sysmonpt> account: <> service: <sudo> reason: <>
SSH:
Aug 21 13:29:25 ABC-12345 sshd[12309]: Accepted password for srv_account from 10.118.1.66 port 29436 ssh2
DNS:
Apr 13 14:01:52 10.1.2.3 named[12133]: client 10.9.8.7#37299 (abc.l2.abc.org): query: abc.l2.qwerty.org IN A + (10.11.12.13)