Splunk_TA_paloalto parsing issues using syslog-ng ...

dmal · ‎03-30-2021

I have my PANs forwarding events to a syslog-ng server over TCP, logs are parsed out to disk and then fowarded to the indexer (which replicates to another indexer) using the universal forwarder.

Config follows the model here:

https://splunk.paloaltonetworks.com/universal-forwarder.html

However my syslog-ng config also has us_dns(no) under the source stanza and sets permits under the destination stanza (creat_dirs, owner, group, perm, etc..)

The indexers are already receiving events from multiple other sources from the same syslog-ng server with no issues.

I have install the Splunk_TA_paloalto add-on on the Indexer and I figure that the issue is with the content of the inputs.conf file on the indexer. It doesn't make sense to listen on udp:514, since the data is already coming from a UFW, and it's not parsing the data properly (sourcetype is still pan:log or pan:firewall, doesn't seem to be affected what I put in at the syslog-ng server inputs.conf).

There seem to be lots of examples of folks getting this working, is it just that the UFW doesn't work and it has to go through a HFW instead?

Thanks,

d

Splunk_TA_paloalto parsing issues using syslog-ng and universal fowarder to indexers

configuration

troubleshooting

Observe and Secure All Apps with Splunk

Splunk Decoded: Business Transactions vs Business IQ

Fastest way to demo Observability

Are you a member of the Splunk Community?