One of the things you will need to know is that integrations you have configured are working correctly and sending telemetry into Samurai XDR.
Integration Health
You can easily get an overview of which of your Integrations are healthy by viewing the Telemetry Monitoring Dashboard in the app. This dashboard gives you a concise overview of any integrations which are unhealthy - or in other words, Integrations which have not generated events recently:
The fact that an Integration is unhealthy doesn't necessarily mean that there is a fault. It may just mean that the device that is sending logs is currently shut down. The fact that an integration is not generating logs is not automatically a problem.
Managing Integration Health
There are a few factors which could result in telemetry not being properly ingested. This article takes you through the main factors which could impact whether an integration is working or not, who is responsible for them, and how to address them.
In order for a log source to be ingested into the platform, the following main areas need to be working properly:
- Platform is available: We are responsible for making sure that the Samurai XDR platform is available. You can always verify platform availability at our status page.
- Log source configuration: Often the first place to check is that the log source is correctly configured to send logs. If your log source uses a Cloud Collector, you will also need to check that the Cloud Collector is correctly configured in the platform. Make sure that you have followed all of the configuration steps outlined in the configuration guide for the Integration.
- Connectivity: Any log sources using the Secure Syslog Connector are dependent on Internet connectivity between your premises and Samurai XDR. Check that your Internet connection is available and that firewalls are configured to allow traffic through. The Secure Syslog Collector article also provides a detailed explanation of all of connectivity requirements.
- Cloud Collector: If your log source uses a Cloud Collector, the health of your integration is also dependent on the Cloud Collector being operational. If your log source is correctly configured but it remains unhealthy, we will need verify that the Cloud Collector is operational for you.
Integration Status
Once you have confirmed that the Collector is correctly configured, check the Integration status. From the Collectors menu you can expand to view associated integrations to view their state of health. Alternatively, navigate to the Integrations page. Refer to Integrations for further steps.
For each Integration you will see a column called 'Last Event Seen'. This column provides a timestamp (in the format [yyyy:mm:dd], [hh:mm:ss]) represented in Universal Time Coordinated (UTC) of the last received event.
Last Event Seen is only displayed for type log therefore does not include extended telemetry collection at this time.
Within the current version of Samurai XDR we monitor for 'Last Event Seen' within specific timeframes that relate directly to the Status - a table below outlines the time periods and related status.
Status | Description |
Not Available | No events seen over 24 hrs |
Not-Healthy | No events seen between 12-24 hrs |
Healthy | Events seen within the last 12 hrs |
If for some reason, the Integration is not healthy or not available (e.g. not Green), then run through the Integration guide for your specific device and confirm there are no other controls blocking telemetry traffic.
If you still have issues and please raise a ticket via the Samurai Help Center
Querying the detail
If you would like to go into more detail about the events from your log sources, you can make use of Advanced Query to analyze the events stored in the data lake. This will help you to answer questions like:
- Is my log source generating logs intermittently? By querying your log source over a period of time, the graphical representation of events will quickly show you time periods when your log source was not generating logs:
- When did my log source last generate an event and what was that event? You can easily find the last time when a log source generated an event. This will be the same as the "Last Event Seen" field for the Integration. For instance, the following query shows the last log generated in the last 7 days:
- Is my log source configured to generate correctly formatted logs? Sometimes a configuration error on your log source might result in your log source generating incorrectly formatted logs. By examining the raw log content you can check that your logs are correctly formatted. This will assist in correcting any configuration errors which may have resulted in incorrectly formatted logs being sent.
- Is my log source sending the logs I need? By checking the types of events generated, you can verify that you have configured the log source to send the logs you require, and that it is generating them. For instance, in this example, we are verifying that a device is generating DNS logs as expected:
