topic Re: Palo Alto app not parsing the sourcetype in All Apps and Add-ons

Palo Alto app not parsing the sourcetype

ccsfdave — Tue, 29 Sep 2020 08:59:47 GMT

I can see the Palo Alto data coming into the Heavy Forwarder, into the /var/log/syslog/ngf01 (and ngf02). On the Search Head I see how the sourcetype should be extracted in: /opt/splunk/etc/apps/Splunk_TA_paloalto/default/transforms.conf but nothing is extracted and thus none of the Palo Alto data is extracted, it just comes in raw into the index = pan_logs but all the data goes to the sourcetype=pan and thus extractions of fields downstream of that do not work

I would expect minimum sourcetypes of pan_threat, pan_traffic, pan_system, pan_config

Re: Palo Alto app not parsing the sourcetype

maciep — Tue, 29 Sep 2020 09:00:54 GMT

Do you have the Splunk_TA_paloalto add-on installed on the heavy forwarder as well? That's where the sourcetype parsing needs to happen in your scenario.

Re: Palo Alto app not parsing the sourcetype

ccsfdave — Tue, 08 Mar 2016 00:34:11 GMT

Ya, I have the TA installed as per the installation instructions. I tried to follow them to a T but have been known to be spacey

Re: Palo Alto app not parsing the sourcetype

maciep — Tue, 08 Mar 2016 02:11:05 GMT

I just took a quick peek at the TA, and it looks like it expects the initial sourcetype to be pan_log (or pan:log). Are you setting yours to just pan in your inputs? That might explain why it's not getting processed correctly

[pan_log]
rename = pan:log
pulldown_type = false
# This first line adjusts PAN-OS 6.1.0 threat logs to revised 6.1.1+ format where the reportid field is at the end.
SEDCMD-6_1_0 = s/^((?:[^,]+,){3}THREAT,(?:[^,]*,){27}".*",[^,]*,)(\d+),((?:[^,]*,){3})(\d+,0x\d+,(?:[^,]*,){14})$/\1\3\4,\2/
TRANSFORMS-sourcetype = pan_threat, pan_traffic, pan_system, pan_config, pan_hipmatch, pan_endpoint
SHOULD_LINEMERGE = false
MAX_TIMESTAMP_LOOKAHEAD = 44

[pan:log]
category = Network & Security
description = Output produced by the Palo Alto Networks Next-generation Firewall and Traps Endpoint Security Manager
pulldown_type = true
# This first line adjusts PAN-OS 6.1.0 threat logs to revised 6.1.1+ format where the reportid field is at the end.
SEDCMD-6_1_0 = s/^((?:[^,]+,){3}THREAT,(?:[^,]*,){27}".*",[^,]*,)(\d+),((?:[^,]*,){3})(\d+,0x\d+,(?:[^,]*,){14})$/\1\3\4,\2/
SHOULD_LINEMERGE = false
MAX_TIMESTAMP_LOOKAHEAD = 44
TRANSFORMS-sourcetype = pan_threat, pan_traffic, pan_system, pan_config, pan_hipmatch, pan_endpoint

Re: Palo Alto app not parsing the sourcetype

ccsfdave — Tue, 08 Mar 2016 16:35:22 GMT

Hmm, unless I am looking at the wrong inputs.conf (/opt/splunk/etc/apps/SplunkforPaloAltoNetworks/local/inputs.conf) below is what I have in there on my heavy forwarder:

[udp://514]
sourcetype = pan:log
no_appending_timestamp = true

Re: Palo Alto app not parsing the sourcetype

ccsfdave — Tue, 29 Sep 2020 09:01:05 GMT

shoot, in

/opt/splunk/etc/apps/sf_syslog_inputs/local/inputs.conf

I had:
[monitor:///var/log/syslog/ngf0*/*.log]
index = pan_logs
sourcetype = pan
no_appending_timestamp = true
host_segment = 4

Which I have now changed to pan_logs and bounced the Fwdr. Let's see what happens

Re: Palo Alto app not parsing the sourcetype

jibin1988 — Wed, 12 Feb 2020 15:27:43 GMT

@ccsfdave You got it fixed? I have the same issue. palo alto logs are not getting parsed with TA.
can you please update if you got it fixed?

Re: Palo Alto app not parsing the sourcetype

ccsfdave — Wed, 12 Feb 2020 16:10:31 GMT

@jibin1988 Hit me up on Slack or post your specific question, I may be able to help. This Answers is approaching 4y old so I am sure what issues I had are behind me.

Re: Palo Alto app not parsing the sourcetype

jibin1988 — Mon, 17 Feb 2020 08:36:33 GMT

@ccsfdave please let me know your slack id. request you to ping on slack j.sebastian@obrela.com