This article outlines the steps required to ship Cloud Control Center logs to any SIEM, XDR, or log management platform that supports the HEC (HTTP Event Collector) protocol.
The HEC Log Exporter connector, introduced in Cloud Control Center release 26.4.0, enables exporting Elisity platform logs to any platform that accepts logs via a standard HEC HTTP collector endpoint — including Palo Alto Networks Cortex XSIAM, Datadog, Elastic, and Sumo Logic. Exportable log categories include policy enforcement logs, identity and classification events, system events, audit logs, and Virtual Edge Node (VEN) events.
Unlike the existing Splunk connector, which uses Splunk-specific semantics such as the Authorization: Splunk <token> header format, this connector is protocol-generic. It authenticates with a token and a configurable token prefix (Bearer by default), so it can target any compliant HEC endpoint.
NOTE:
The HEC Log Exporter connector does not replace the existing Splunk connector. If you are shipping logs to Splunk, continue to use the dedicated Splunk connector. Both connectors can operate independently and simultaneously.
Prerequisites
- Minimum Cloud Control Center version 26.4.0
- An HEC-compatible HTTP log collector endpoint on the target platform (the full HTTPS URL)
- An authentication token or API key generated on the target platform
- Inbound firewall rules/NAT to allow Cloud Control Center to reach the log collector endpoint over HTTPS (TLS 1.2 or higher)
How It Works
Once configured, Cloud Control Center sends the supported log categories to the target endpoint as HTTPS POST requests with a JSON payload. Events are batched for efficiency and flushed when either the configured batch size or the flush interval is reached, whichever comes first. Each event is wrapped in a data object containing the native Elisity event, along with a millisecond-precision collector_ms timestamp:
{
"data": {
"event_type": "policy_enforcement",
"timestamp": "2026-02-23T10:30:00Z",
"source": "elisity-ccc",
"payload": { ... }
},
"collector_ms": 1740312600000
}
This format is directly compatible with the Cortex XSIAM HTTP Log Collector, and most HEC-compatible platforms (including those that auto-detect JSON) can parse it without additional configuration. If delivery to the target platform fails, Cloud Control Center retries with exponential backoff and honors HTTP 429 rate-limit responses, including the Retry-After header when provided.
NOTE:
Events are currently exported in JSON format only. Other formats such as CEF, LEEF, Syslog, and Raw are not yet supported.
Target Platform Instructions (Example: Cortex XSIAM)
The exact steps to create an HEC HTTP collector vary by platform. As an example, for Palo Alto Networks Cortex XSIAM:
1. In Cortex XSIAM, navigate to Settings > Data Sources and add a Custom - HTTP based Collector integration.
2. Generate the collector and copy the API URL (for example, https://api-{tenant}.xdr.us.paloaltonetworks.com/logs/v1/event) and the token.
3. Refer to the Cortex XSIAM documentation for full details.
For other platforms (Datadog, Elastic, Sumo Logic, and others), consult the vendor's documentation for creating an HTTP/HEC log ingestion endpoint and generating an access token. In every case, you need two values for the Cloud Control Center configuration: the endpoint URL and the authentication token.
Elisity Cloud Control Center Instructions
1. Log into Elisity Cloud Control Center and navigate to Settings > Connectors and select + ADD CONNECTOR.
2. In the Add Connector panel, search for HEC, then click Configure on the HEC Log Exporter connector tile. Like the Splunk connector, this connector appears with the logging connectors at the bottom of the connector list — it is not part of the priority-ordered identity enrichment connectors and cannot be reordered.
3. Complete the configuration fields:
| Field | Description |
|---|---|
| URL | The full HTTPS URL of the HEC HTTP log collector endpoint provided by your target platform (for example, https://api-{tenant}.xdr.us.paloaltonetworks.com/logs/v1/event). |
| Token | The authentication token or API key generated on the target platform. The value is masked; use the show/hide icon to reveal it. It is stored encrypted after saving. |
| Token Prefix | The prefix prepended to the token in the Authorization header. Defaults to Bearer, which produces an Authorization: Bearer <token> header and is compatible with Cortex XSIAM and most HEC endpoints. Change it only if your target platform expects a different scheme. |
4. Select Submit. The connector should now be listed and show as Active.
5. Verify that Cloud Control Center logs appear on the target platform within a few seconds.
Monitoring the Connector
Once configured, the connector tile displays its connection status (Connected / Disconnected / Error), the last successful delivery timestamp, event delivery counts, and the most recent error message if delivery has failed. The connector can be disabled and re-enabled without deleting its configuration, and all settings can be edited after the initial setup.
Troubleshooting
-
Connector reports a 401/403 error — The authentication token is invalid, expired, or sent in the wrong format. Verify the Token value and confirm the Token Prefix matches what the platform expects (most platforms use
Bearer). -
Connector reports a TLS/certificate error — The target endpoint's certificate could not be validated. Confirm the endpoint presents a complete, trusted certificate chain that Cloud Control Center can validate.
-
Connection times out — Cloud Control Center cannot reach the endpoint. Verify the URL and confirm firewall/NAT rules allow outbound HTTPS from Cloud Control Center to the collector endpoint.
-
Events are not appearing on the target platform — Check the connector status and last error message in Cloud Control Center, and verify any ingestion filters or parsing rules on the receiving platform.