Re: Palo Alto Logs Duplicated

mpower_interac · ‎08-02-2019

Our PAN firewalls log to Splunk via Syslog, when reading the the log entries in Splunk the entry is duplicated (on the same line, the log shows up twice. Can anyone help me figure out what is causing this? We have the latest version of the Palo Alto Networks Add-on for Splunk installed.
https://splunkbase.splunk.com/app/2757/

panguy · ‎08-05-2019

Are you seeing 2 entries in splunk that are the same or 1 entry in splunk with 2 lines of the same log?

mpower_interac · ‎08-06-2019

1 entry in Splunk with 2 lines of the same log

panguy · ‎08-06-2019

This might be an issue with your syslog-ng server. I would recommend checking the config on the syslog server. Did you follow this guide: https://splunk.paloaltonetworks.com/universal-forwarder.html?

mpower_interac · ‎08-06-2019

Unfortunately we use rsyslog and I'm not an expert - I can get some help internally to figure out if the config is good but does PAN have any documentation for rsyslog instead of syslog-ng? I don't see anything on that page.

panguy · ‎08-08-2019

Unfortunately, we don't have documentation on rsyslog. Essentially you want to make sure rsyslog does not do any type of parsing before it forwards to Splunk. You will need to check documentation on how to do this with rsyslog.

Palo Alto Logs Duplicated

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

Join the Conversation