I'd like to hear your input on the following issue.
We are trying to index events from our Palo Alto firewalls. The firewalls forward the logs to a Panorama, the Panorama sends the logs to a syslog collector which puts them to a folder with the name of the sending device (the Panorama). Our universal forwarder (UF) is monitoring the syslog collector and for every file monitored, it sets the host as the name of the folder it is in and the source type pan:log. The result is that all our logs (from all the firewalls and the Panorama) are indexed with the MetaData:Host of the Panorama. So we want to rename the MetaData:Host with the value from the raw event (every log contains the hostname of the device that generated it), but we are having a hard time doing that.
The problem is that there are 4 types of logs (traffic, threat, system, config) that leave the UF with the same sourcetype (pan:log). We cannot extract the hostname with a simple regex from this sourcetype because each type of log has the hostname in a different place.
The Palo Alto Add-On (we have version 6.0.2) has the task of renaming the source type based on the event (from pan:logs to pan:traffic, pan:threat, pan:system and pan:config). It would be really easy to put a transform on these source types but we can't do that because the events cannot pass twice through the parsing queue.
The only options I can think of are the following:
—Put a transform on pan:log with a really complex regex that extracts the hostname based on the log type
—Customize the logs to have the hostname in the same place and extract them with a simple regex. (But in this case we would have to modify the extracts and also customize the logs for every new firewall that we get).
Anybody out there that know a better solution that the ones stated above?
As you mentioned that Panorama is sending logs to syslog server, can't you configure your syslog server to put different firewall logs in different directory For example:
/opt/firewall-2/paloalto-2 etc. and then do Universal Forwarder config as below :
[monitor:///opt/firewall-1/paloalto-1] host_segment = 2 sourcetype = pan:log [monitor:///opt/firewall-2/paloalto-2] host_segment = 2 sourcetype = pan:log
With above configuration universal forwarder ingest
/opt/firewall-1/paloalto-1 with hostname
/opt/firewall-2/paloalto-2 with hostname
The way you are thinking to use REGEX to read each and every event of different type of network device logs and then do props and transforms to assign hostname will generate more load on your splunk server if you have millions of events generating by those devices.
Thanks for your response @harsmarvania57.
We are currently doing that, but the syslog server sees all the logs as coming from the Panorama and is creating only one folder (for the Panorama). The logs are indeed coming only from Panorama, but their original source is different (other firewalls in our infrastructure). Is there a way to configure syslog-ng to put logs in different folders based on the content of the message? And, if there is, I'll have the same problem with the 4 log types.
Yes you can filter logs on syslog-ng which you are receiving from Panorama, please check https://www.syslog-ng.com/technical-documents/doc/syslog-ng-open-source-edition/3.16/administration-... for syslog-ng configuration to filter logs to different log files.
Hi @stefan_ghita ,
If logs are forwarded from universal forwarder to heavy forwarder on udp-514 then in Heavy forwarder add below stanza in
[udp://514] connection_host = ip