I am currently using the Splunk TA for Palo Alto data. And I'm ingesting data from Cortex Data Lake to a new Azure Syslog server.
But there is a large problem with the data we're ingesting. The data being sent is literally missing a single field. Below is a reference of what we should be ingesting:
Configuration Syslog Field Order (paloaltonetworks.com)
If you look at the example from this link, you will see this log:
Oct 13 20:56:15 gke-standard-cluster-2-pool-1-6ea9f13a-fnid 394 <142>1 2020-10-13T20:56:15.519Z stream-logfwd20-156653024-10121421-eq28-harness-16kn logforwarder - panwlogs - 1,2020-10-13T20:56:03.000000Z,007051000113358,CONFIG,config,,2020-10-13T20:56:00.000000Z,xxx.xx.x.xx,,rename,admin,,submitted,/config/shared/log-settings/globalprotect/match-list/entry[@name='rs-globalprotect'],150,-9223372036854775808,0,0,0,0,,PA-VM,,,,2020-10-13T20:56:00.284000Z
But what I'm receiving is:
Oct 13 20:56:15 gke-standard-cluster-2-pool-1-6ea9f13a-fnid 394 <142>1 2020-10-13T20:56:15.519Z stream-logfwd20-156653024-10121421-eq28-harness-16kn logforwarder - panwlogs - 2020-10-13T20:56:03.000000Z,007051000113358,CONFIG,config,,2020-10-13T20:56:00.000000Z,xxx.xx.x.xx,,rename,admin,,submitted,/config/shared/log-settings/globalprotect/match-list/entry[@name='rs-globalprotect'],150,-9223372036854775808,0,0,0,0,,PA-VM,,,,2020-10-13T20:56:00.284000Z
In the log I'm receiving, I'm missing a comma (,) before the 2020 in this line: