I have my PANs forwarding events to a syslog-ng server over TCP, logs are parsed out to disk and then fowarded to the indexer (which replicates to another indexer) using the universal forwarder.
Config follows the model here:
https://splunk.paloaltonetworks.com/universal-forwarder.html
However my syslog-ng config also has us_dns(no) under the source stanza and sets permits under the destination stanza (creat_dirs, owner, group, perm, etc..)
The indexers are already receiving events from multiple other sources from the same syslog-ng server with no issues.
I have install the Splunk_TA_paloalto add-on on the Indexer and I figure that the issue is with the content of the inputs.conf file on the indexer. It doesn't make sense to listen on udp:514, since the data is already coming from a UFW, and it's not parsing the data properly (sourcetype is still pan:log or pan:firewall, doesn't seem to be affected what I put in at the syslog-ng server inputs.conf).
There seem to be lots of examples of folks getting this working, is it just that the UFW doesn't work and it has to go through a HFW instead?
Thanks,
d
