Add a collector

Procedure

1. In Workflow and Automation → Data Source and Log Management → XDR Threat Investigation → Third-Party Log Collection, click the name of the log repository to which you wish to add a collector.
   The Log Repository Details drawer appears.
2. Go to the Collectors tab and click Add Collector.
   The Add Collector screen appears.
3. Specify a name and optional description for the collector.
4. Configure the collection settings and data sources.
   1. Choose a Service Gateway for the collector to use to access the third-party data source. Only Service Gateways with the Third-Party Log Collection service installed appear on the list.
   2. Select a protocol to use for data traffic. TLS and TCP are supported.

      Important If you wish to receive log data in Third-Party Log Collection using the TLS protocol, you must upload a valid certificate from your organization to the Service Gateway. For instructions, see How do I upload a certificate to a Service Gateway?

   3. Select an available port for receiving data traffic. Once chosen, port numbers should be configured in your third-party data source.
   4. Specify the sending IP addresses of the third-party data source, separated by commas. Only IPv4 addresses are supported. Ensure you are using trusted IP addresses copied from your third-party data source.
5. Click Add.
   The collector is added to the log repository.
6. Monitor the collector connection status.
   1. Click the name of the log repository associated with the collector.
      The Log Repository Details screen appears.
   2. Go to the Collectors tab.
   3. View the collector connection status in the Connection status column. Check the associated Service Gateway connection if the collector status displays as Unhealthy.
   4. Ensure the collected log data is available by executing a related query in the Search app.