Splunk_TA_paloalto parsing issues using syslog-ng ...

All Apps and Add-ons

I have my PANs forwarding events to a syslog-ng server over TCP, logs are parsed out to disk and then fowarded to the indexer (which replicates to another indexer) using the universal forwarder.

Config follows the model here:

https://splunk.paloaltonetworks.com/universal-forwarder.html

However my syslog-ng config also has us_dns(no) under the source stanza and sets permits under the destination stanza (creat_dirs, owner, group, perm, etc..)

The indexers are already receiving events from multiple other sources from the same syslog-ng server with no issues.

I have install the Splunk_TA_paloalto add-on on the Indexer and I figure that the issue is with the content of the inputs.conf file on the indexer. It doesn't make sense to listen on udp:514, since the data is already coming from a UFW, and it's not parsing the data properly (sourcetype is still pan:log or pan:firewall, doesn't seem to be affected what I put in at the syslog-ng server inputs.conf).

There seem to be lots of examples of folks getting this working, is it just that the UFW doesn't work and it has to go through a HFW instead?

Thanks,

Get Updates on the Splunk Community!

Splunk_TA_paloalto parsing issues using syslog-ng and universal fowarder to indexers

configuration

troubleshooting

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you a member of the Splunk Community?