I can see the Palo Alto data coming into the Heavy Forwarder, into the /var/log/syslog/ngf01 (and ngf02). On the Search Head I see how the sourcetype should be extracted in: /opt/splunk/etc/apps/Splunk_TA_paloalto/default/transforms.conf but nothing is extracted and thus none of the Palo Alto data is extracted, it just comes in raw into the index = pan_logs but all the data goes to the sourcetype=pan and thus extractions of fields downstream of that do not work
I would expect minimum sourcetypes of pan_threat, pan_traffic, pan_system, pan_config
@jibin1988 Hit me up on Slack or post your specific question, I may be able to help. This Answers is approaching 4y old so I am sure what issues I had are behind me.
@ccsfdave please let me know your slack id. request you to ping on slack j.sebastian@obrela.com
Hmm, unless I am looking at the wrong inputs.conf (/opt/splunk/etc/apps/SplunkforPaloAltoNetworks/local/inputs.conf) below is what I have in there on my heavy forwarder:
[udp://514]
sourcetype = pan:log
no_appending_timestamp = true
shoot, in
/opt/splunk/etc/apps/sf_syslog_inputs/local/inputs.conf
I had:
[monitor:///var/log/syslog/ngf0*/*.log]
index = pan_logs
sourcetype = pan
no_appending_timestamp = true
host_segment = 4
Which I have now changed to pan_logs and bounced the Fwdr. Let's see what happens
@ccsfdave You got it fixed? I have the same issue. palo alto logs are not getting parsed with TA.
can you please update if you got it fixed?
Ya, I have the TA installed as per the installation instructions. I tried to follow them to a T but have been known to be spacey
I just took a quick peek at the TA, and it looks like it expects the initial sourcetype to be pan_log (or pan:log). Are you setting yours to just pan in your inputs? That might explain why it's not getting processed correctly
[pan_log]
rename = pan:log
pulldown_type = false
# This first line adjusts PAN-OS 6.1.0 threat logs to revised 6.1.1+ format where the reportid field is at the end.
SEDCMD-6_1_0 = s/^((?:[^,]+,){3}THREAT,(?:[^,]*,){27}".*",[^,]*,)(\d+),((?:[^,]*,){3})(\d+,0x\d+,(?:[^,]*,){14})$/\1\3\4,\2/
TRANSFORMS-sourcetype = pan_threat, pan_traffic, pan_system, pan_config, pan_hipmatch, pan_endpoint
SHOULD_LINEMERGE = false
MAX_TIMESTAMP_LOOKAHEAD = 44
[pan:log]
category = Network & Security
description = Output produced by the Palo Alto Networks Next-generation Firewall and Traps Endpoint Security Manager
pulldown_type = true
# This first line adjusts PAN-OS 6.1.0 threat logs to revised 6.1.1+ format where the reportid field is at the end.
SEDCMD-6_1_0 = s/^((?:[^,]+,){3}THREAT,(?:[^,]*,){27}".*",[^,]*,)(\d+),((?:[^,]*,){3})(\d+,0x\d+,(?:[^,]*,){14})$/\1\3\4,\2/
SHOULD_LINEMERGE = false
MAX_TIMESTAMP_LOOKAHEAD = 44
TRANSFORMS-sourcetype = pan_threat, pan_traffic, pan_system, pan_config, pan_hipmatch, pan_endpoint
Do you have the Splunk_TA_paloalto add-on installed on the heavy forwarder as well? That's where the sourcetype parsing needs to happen in your scenario.