Our PAN firewalls log to Splunk via Syslog, when reading the the log entries in Splunk the entry is duplicated (on the same line, the log shows up twice. Can anyone help me figure out what is causing this? We have the latest version of the Palo Alto Networks Add-on for Splunk installed.
https://splunkbase.splunk.com/app/2757/
Are you seeing 2 entries in splunk that are the same or 1 entry in splunk with 2 lines of the same log?
1 entry in Splunk with 2 lines of the same log
This might be an issue with your syslog-ng server. I would recommend checking the config on the syslog server. Did you follow this guide: https://splunk.paloaltonetworks.com/universal-forwarder.html?
Unfortunately we use rsyslog and I'm not an expert - I can get some help internally to figure out if the config is good but does PAN have any documentation for rsyslog instead of syslog-ng? I don't see anything on that page.
Unfortunately, we don't have documentation on rsyslog. Essentially you want to make sure rsyslog does not do any type of parsing before it forwards to Splunk. You will need to check documentation on how to do this with rsyslog.