I'm sending my log files to splunk from a syslog server using a universal forwarder. They are getting to the right index and the hostnames are being extracted fine. The problem is, nothing else is parsing properly. When I choose sourcetype=pan all i get is pan_log. Its not parsing out the data into the appropriate types (i.e. threat, url, etc). Here is a copy of my inputs.conf
[monitor://C:\Program Files (x86)\Syslogd\Logged Devices\]
host_segment = 5
sourcetype = "pan:log"
no_appending_timestamp=true
index=pan_logs
disabled = false
The source directory is formatted as follows:
C:\Program Files (x86)\Syslogd\Logged Devices\PaloAlto Firewalls\%firewall model%\%ip_address%--Syslog-2021-01-21.txt
any thoughts?
Ian
no_appending_timestamp option is valid only for UDP inputs. Since you are using syslog server, maybe parsing does no work because of timestamp addition or format.
Can you please post a few sample logs to check?
yes
Have you installed a Palo Alto TA on your indexers?
Hi @Iwdavies,
Did you install Palo Alto Networks Add-on on indexers? Since you are using UF, sourcetype override will be done on indexers.
If this reply helps you an upvote is appreciated.