I configured the inputs.conf of the palo alto app exactly as the documentation.
However, in addition to the palo alto logs, I get other logs via udp: 514. The configuration in inputs.conf is forwarding all logs via 514 to the pan: log sourcetype.
How could I change only the high-pit logs to the sourcetype pan: log?
Best: let a dedicated syslog daemon receive the data, write to disk, let a universal forwarder read the log files and assign sourcetypes per file.
Bad: make each source use a distinct port.
Bad: keep all sources at one port, define props/transforms to rewrite source types, index, etc based on the event, host, etc.