topic Re: Palo Alto Networks syslog: 1 host is ingested with incorrect date in Getting Data In https://community.splunk.com/t5/Getting-Data-In/Palo-Alto-Networks-syslog-1-host-is-ingested-with-incorrect-date/m-p/303536#M57319 <P>May have figured this out. Had another app, Splunk_TA_paloalto, adjusting the max_timestamp_lookahead to 44 (without the time prefix), which seems to be in the middle of the day in the date string. Have changed that to 50 and pushed it out. Crossing fingers.</P> Tue, 29 Sep 2020 15:31:37 GMT manderson7 2020-09-29T15:31:37Z Palo Alto Networks syslog: 1 host is ingested with incorrect date https://community.splunk.com/t5/Getting-Data-In/Palo-Alto-Networks-syslog-1-host-is-ingested-with-incorrect-date/m-p/303535#M57318 <P>Pretty weird situation here. Bringing in multiple palo alto syslog sources, all going to the same main syslog directory, then divvied up by host name, so /var/log/syslog/PaloAlto/host1/host1-PaloAlto.log, etc.<BR /><BR /> Host 1 is showing the correct date in the event that matches the log </P> <PRE><CODE>13:49:48,010108000857,TRAFFIC,end,1,2017/08/28 13:49:48,172.30.69.194,172.30.5.69,0.0.0.0,0.0.0.0,DC_Dea_Any,,,tanium,vsys3,DC_DEA_TRUSTED,DC_DEA_UNTRUSTED,ethernet6/4.1028,ethernet6/3.1028,Log_Fwd_PA-7050,2017/08/28 13:49:48,1343232963,1,54123,17472,0,0,0x5e,tcp,allow,3133,893,2240,14,2017/08/28 13:49:29,17,any,0,0,0x0,172.16.0.0-172.31.255.255,172.16.0.0-172.31.255.255,0,9,5,tcp-fin,43,0,0,0,DC-DEA,host1,from-policy 8/28/17 1:49:48.010 PM </CODE></PRE> <P>while host 2 is showing </P> <PRE><CODE>13:49:49,007801000317,TRAFFIC,end,0,2017/08/28 13:49:28,204.76.30.253,172.217.2.46,0.0.0.0,0.0.0.0,PUBLIC_TO_INTERNET,,,google-analytics,vsys10,IPS_IN,IPS_IN,ethernet1/1,ethernet1/1,Log_Fwd,2017/08/28 13:49:28,120421,1,57690,443,0,0,0x53,tcp,allow,6609,1706,4903,17,2017/08/28 13:46:38,168,computer-and-internet-info,0,31998418668,0x8000000000000000,United States,United States,0,9,8,tcp-fin,892,0,0,0,IPS_TEST,host2,from-policy,,,0,,0,,N/A 8/2/17 1:49:49.007 PM </CODE></PRE> <P>We're uncertain how long this has been going on. I've added the following props for the sourcetype, but it's had no effect:</P> <PRE><CODE>[pan:traffic] DATETIME_CONFIG = NO_BINARY_CHECK = true SHOULD_LINEMERGE = false TIME_FORMAT = %Y/%m/%d %H:%M:%S TIME_PREFIX = \S+\,\S+\,\S+\,\S+\,\S+\, category = Custom pulldown_type = true MAX_TIMESTAMP_LOOKAHEAD = 19 </CODE></PRE> <P>I tried it without the timestamp_lookahead, but no change. Any help here would be appreciated.</P> Mon, 28 Aug 2017 18:03:57 GMT https://community.splunk.com/t5/Getting-Data-In/Palo-Alto-Networks-syslog-1-host-is-ingested-with-incorrect-date/m-p/303535#M57318 manderson7 2017-08-28T18:03:57Z Re: Palo Alto Networks syslog: 1 host is ingested with incorrect date https://community.splunk.com/t5/Getting-Data-In/Palo-Alto-Networks-syslog-1-host-is-ingested-with-incorrect-date/m-p/303536#M57319 <P>May have figured this out. Had another app, Splunk_TA_paloalto, adjusting the max_timestamp_lookahead to 44 (without the time prefix), which seems to be in the middle of the day in the date string. Have changed that to 50 and pushed it out. Crossing fingers.</P> Tue, 29 Sep 2020 15:31:37 GMT https://community.splunk.com/t5/Getting-Data-In/Palo-Alto-Networks-syslog-1-host-is-ingested-with-incorrect-date/m-p/303536#M57319 manderson7 2020-09-29T15:31:37Z