Hello!

I send events from PaloAlto Panorama to Splunk, and I have a problem.

I install the PaloAlto Add-on, but it doesn't work properly for me.

If i use my custom sourcetype, i see a lot of events, nearly 1000 in second.

If i use pan:firewall sourcetype - i see no events.

If i use pan:log sourcetype - i see only pan:system messages, for example like this (without [] brackets):

[<14>Feb 7 22:11:46 my-domain 1,2019/02/07 22:11:45,000702397372,SYSTEM,tls,0,2019/02/07 22:11:45,,panorama-auth-success,,0,0,general,informational,"Client authentication successful PAN-OS ver: 8.0.4 Panorama ver:8.1.5 Client IP: x.x.x.x Server IP: y.y.y.y Client CN: 012001003158",387069,0x0,0,0,0,0,,Panorama]

But usually, I receive a lot of protocol-related events (see below); does the App parse it?

[<14>Feb 7 22:12:32 my-domain 1,2019/02/07 22:12:32,001801012275,TRAFFIC,start,1,2019/02/04 16:18:07,x.x.x.x,y.y.y.y,0.0.0.0,0.0.0.0,Dddd,,,bittorrent,vsys1,trust,trust,ethernet1/11,ethernet1/12,Logs,2019/02/04 16:18:07,111853,1,44822,19023,0,0,0x4000,udp,allow,76,76,0,1,2019/02/04 16:18:07,0,any,0,66004439243,0x8000000000000000,x.x.x.x-y.y.y.y,Russian Federation,0,1,0,n/a,11,0,0,0,,spb-pan,from-policy,,,0,,0,,N/A,0,0,0,0]

By the way, you can see panorama version (PAN-OS ver: 8.0.4 Panorama ver:8.1.5). So, i have several PaloAlto NGFW, that sends data to Panotama.

Does anybody have any advice for me on what to do and how it is possible to automatically parse all events?