Hello All,

We are unable to get the Palo Alto Add-on and App to parse the incoming syslog traffic correctly. The environment we are in prevents us from setting up the syslog-ng.conf exactly as the instructions have listed. We are trying to see if the modification that we have to make is causing the issues with the Add-on and App. The following will show what the instructions call for in the inputs and outputs; while I'll provide what we would have in place.

Palo Alto Instructions:

Under "Destinations" specify a .log file destination:

destination d_udp514 { file("/YOURPATH/udp514.log" template("${MSG}\n")); };


Our Destinations:

destination d_5400-A058-PaloAlto { file("/var/log/syslog-ng/PaloAlto.5400-A058.$YEAR.$MONTH.$DAY.log" owner("root") group("root") perm(0644)); };
destination d_5400-B170-PaloAlto { file("/var/log/syslog-ng/PaloAlto.5400-B170.$YEAR.$MONTH.$DAY.log" owner("root") group("root") perm(0644)); };
destination d_5400-PA220-PaloAlto { file("/var/log/syslog-ng/PaloAlto.5400-PA220.$YEAR.$MONTH.$DAY.log" owner("root") group("root") perm(0644)); };

*********************************
Palo Alto Instructions:

Create or modify /opt/splunkforwarder/etc/system/local/inputs.conf and add a monitoring stanza:

[monitor:///YOURPATH/udp514.log]
sourcetype = pan:log


Our inputs (using HF instead of UF):

[monitor:///var/log/syslog-ng/PaloAlto.5400-A058.$YEAR.$MONTH.$DAY.log]
sourcetype = pan:log *** Did not work, so used below ***


[monitor:///var/log/syslog-ng()/PaloAlto*.log]
sourcetype = pan:log