Hi all, After installing this TA recently, we discovered an issue, Its field extractions straight out of the box appear to be mis-aligned.
You need to remove the "future_use_1" from the start of the transforms. Then they all work fine.
If you don't, then all the other fields are mis-labelled, moved one spot over.
We are sending logs via syslog into Splunk rather than any other method, so not sure if that makes any difference.
Hopefully this helps someone else.
Hello ,
What do you mean by "future_use_1" please ? i don't have this line in the TA-palo alto
You should not be sending syslog directly to Splunk. You should be sending it to syslog-ng which can then either send via HEC or write to find and use traditional UF. Doing it this way will add that extra field and also vastly increase your stability and limit your data loss:
http://www.georgestarcher.com/splunk-success-with-syslog/
https://www.splunk.com/blog/2017/03/30/syslog-ng-and-hec-scalable-aggregated-data-collection-in-splu...
We are not. We are sending via a syslog-ng storebox, we are very aware of the right thing to do with syslog. Thanks.
OK, but that's not what you wrote at first. Good job on syslog-ng
.
@markhill1 Do we have to remove the field from both syslog/HF and indexers?
@woodcock my sample logs looks like this :
< 14 >Feb 18 07:54:52 FWRY95-IT-RDC46-F1-WA-A10-01 1,2020/02/18 07:54:52,012501002982,TRAFFIC,drop,2049,2020/02/18 07:54:52,192.168.99.50,10.21.64.18,0.0.0.0,0.0.0.0,interzone-default,,,not-applicable,vsys1,Outside,FWasGW-2001,ae1.2000,,LOG-FOR,2020/02/18
At beginning of every log we can see the < 14 > is it somethig due to timestamps ?
Also fields are misaligned. I am not seeing any src_ip,dst_ip fields as well.
Depends on your setup, but I would say anywhere that you have the TA deployed
Hi, Our log formats are fine, here is an example:
09:13:34,013201007069,TRAFFIC,drop,2049,2019/06/26 09:13:34,38.126.xx.xxx,103.230.xx.xxx,0.0.0.0,0.0.0.0,Rule 278 Blocklist incoming,,,not-applicable,vsys1,Public,DMZ2,ae1.53,,Log Forwarding All,2019/06/26 09:13:34,0,1,46092,443,0,0,0x0,tcp,deny,64,64,0,1,2019/06/26 09:13:34,0,any,0,6693140560823890604,0x8000000000000000,United States,Australia,0,1,0,policy-deny,11,0,0,0,,FW01,from-policy,,,0,,0,,N/A,0,0,0,0
We found that the 'future_state_1' field the TA introduces was shifting all the field names over one spot to the right.
I'm not sure what you mean by "TA introduces". The TA does not add any fields to your logs. It looks for the default syslog format from the Firewall. If any fields are added it isn't being added by the TA.
Correct, its just adds in the idea of that imaginary first field. Thus moving all the other fields one place to the right.
By default the syslog server will prepend some data to the logs.
Did you add the no-parse flag to configuration on the syslog server?
Check out this guide on setting up syslog server and universal forwarder:
https://splunk.paloaltonetworks.com/universal-forwarder.html