splunk app not parsing logfiles

Iwdavies · ‎01-21-2021

I'm sending my log files to splunk from a syslog server using a universal forwarder. They are getting to the right index and the hostnames are being extracted fine. The problem is, nothing else is parsing properly. When I choose sourcetype=pan all i get is pan_log. Its not parsing out the data into the appropriate types (i.e. threat, url, etc). Here is a copy of my inputs.conf

[monitor://C:\Program Files (x86)\Syslogd\Logged Devices\]
host_segment = 5
sourcetype = "pan:log"
no_appending_timestamp=true
index=pan_logs
disabled = false

The source directory is formatted as follows:

C:\Program Files (x86)\Syslogd\Logged Devices\PaloAlto Firewalls\%firewall model%\%ip_address%--Syslog-2021-01-21.txt

any thoughts?

Ian

scelikok · ‎01-21-2021

@Iwdavies,

no_appending_timestamp option is valid only for UDP inputs. Since you are using syslog server, maybe parsing does no work because of timestamp addition or format.

Can you please post a few sample logs to check?

If this reply helps you an upvote and "Accept as Solution" is appreciated.

Iwdavies · ‎01-21-2021

yes

richgalloway · ‎01-21-2021

Have you installed a Palo Alto TA on your indexers?

---
If this reply helps you, Karma would be appreciated.

scelikok · ‎01-21-2021

Hi @Iwdavies,

Did you install Palo Alto Networks Add-on on indexers? Since you are using UF, sourcetype override will be done on indexers.

If this reply helps you an upvote is appreciated.

If this reply helps you an upvote and "Accept as Solution" is appreciated.

splunk app not parsing logfiles

configuration

troubleshooting

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!