How to Connect Your Log Sources to Xpernix
A step-by-step guide to connecting cloud, on-premises, and SaaS log sources to the Xpernix managed SIEM platform in under 15 minutes.
Overview
Connecting your log sources is the first — and most important — step in getting value from Xpernix. This guide walks you through the process from login to your first live event.
Estimated time: 15–30 minutes Required: Admin access to your log sources and Xpernix portal credentials
Step 1: Log In to the Xpernix Portal
Navigate to app.xpernix.com and sign in with your credentials. If you haven’t received your invite yet, contact your onboarding engineer or email [email protected].
Once logged in, you’ll land on the Security Overview dashboard.
Step 2: Open the Integrations Panel
From the left sidebar, click Integrations → Log Sources.
You’ll see the connector library. We support 200+ pre-built connectors across:
- Cloud providers: AWS (CloudTrail, VPC Flow Logs, GuardDuty), Azure (Entra ID, Defender, Activity Log), GCP
- Identity: Okta, Microsoft Entra ID, Duo, JumpCloud
- Network: Palo Alto Networks, Fortinet, Cisco, pfSense, Check Point
- Endpoints: CrowdStrike, SentinelOne, Microsoft Defender, Carbon Black
- SaaS: GitHub, Slack, Salesforce, Jira, Google Workspace, Microsoft 365
- Custom: Syslog (UDP/TCP/TLS), HTTP webhook, S3 bucket, Kafka
Step 3: Add Your First Connector
Click the + Add Source button and search for your platform.
Each connector shows:
- Authentication method required (API key, OAuth, syslog, etc.)
- Average setup time
- Fields that will be normalized
- Sample event
Click Add to start the configuration wizard.
Step 4: Configure Authentication
Depending on the connector, you’ll need to provide one of:
| Auth type | Where to get it |
|---|---|
| API key | Your platform’s admin → API section |
| OAuth | Click “Authorize” and log in to the source platform |
| Syslog endpoint | We provide you with an IP:port; configure your device to send there |
| S3 bucket ARN | IAM role setup wizard guides you step by step |
Once entered, click Test Connection. A green ✓ means Xpernix can reach your source.
Step 5: Verify Live Ingestion
Navigate to Live Stream in the sidebar. Within 5 minutes of a successful connection you should see events arriving and being normalized.
Key things to verify:
source_hostis populated correctlyevent_typematches what you expect- Timestamps are in UTC
If events aren’t appearing after 10 minutes, check our troubleshooting guide or ping your dedicated Slack channel.
What Happens Next
Once your logs are flowing, our detection engine begins:
- Normalizing raw events into a common schema
- Enriching IPs against threat intelligence feeds
- Correlating events across sources to detect multi-stage attacks
- Alerting your SOC analyst team when a detection fires
You’ll see your first baseline report within 24 hours of connecting your primary log sources.
Recommended Log Sources to Connect First
| Priority | Source | Why it matters |
|---|---|---|
| 1 | Identity provider (Okta, Entra ID) | Authentication attacks are the #1 entry vector |
| 2 | Cloud platform (AWS, Azure, GCP) | Cloud misconfigurations and API abuse |
| 3 | Endpoint (CrowdStrike, Defender) | Malware, lateral movement |
| 4 | Firewall / network | Exfiltration and C2 traffic |
Need Help?
Reach out in your dedicated Slack/Teams channel or email [email protected]. Your onboarding engineer typically responds within 30 minutes during business hours.
Ready to get started?
Book a free discovery call — we'll have your managed SIEM environment live within hours.
Book a Discovery Call