Re: Palo Alto Logs Duplicated

mpower_interac · ‎08-02-2019

Our PAN firewalls log to Splunk via Syslog, when reading the the log entries in Splunk the entry is duplicated (on the same line, the log shows up twice. Can anyone help me figure out what is causing this? We have the latest version of the Palo Alto Networks Add-on for Splunk installed.
https://splunkbase.splunk.com/app/2757/

panguy · ‎08-05-2019

Are you seeing 2 entries in splunk that are the same or 1 entry in splunk with 2 lines of the same log?

mpower_interac · ‎08-06-2019

1 entry in Splunk with 2 lines of the same log

panguy · ‎08-06-2019

This might be an issue with your syslog-ng server. I would recommend checking the config on the syslog server. Did you follow this guide: https://splunk.paloaltonetworks.com/universal-forwarder.html?

mpower_interac · ‎08-06-2019

Unfortunately we use rsyslog and I'm not an expert - I can get some help internally to figure out if the config is good but does PAN have any documentation for rsyslog instead of syslog-ng? I don't see anything on that page.

panguy · ‎08-08-2019

Unfortunately, we don't have documentation on rsyslog. Essentially you want to make sure rsyslog does not do any type of parsing before it forwards to Splunk. You will need to check documentation on how to do this with rsyslog.

Palo Alto Logs Duplicated

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!