All Apps and Add-ons

splunk_ta_paloalto - Fix for misaligned field extractions. (V6.1.1)

markhill1
Path Finder

Hi all, After installing this TA recently, we discovered an issue, Its field extractions straight out of the box appear to be mis-aligned.

You need to remove the "future_use_1" from the start of the transforms. Then they all work fine.
If you don't, then all the other fields are mis-labelled, moved one spot over.
We are sending logs via syslog into Splunk rather than any other method, so not sure if that makes any difference.

Hopefully this helps someone else.

0 Karma

aalaa
Path Finder

Hello ,

What do you mean by "future_use_1" please ? i don't have this line in the TA-palo alto

0 Karma

woodcock
Esteemed Legend

You should not be sending syslog directly to Splunk. You should be sending it to syslog-ng which can then either send via HEC or write to find and use traditional UF. Doing it this way will add that extra field and also vastly increase your stability and limit your data loss:
http://www.georgestarcher.com/splunk-success-with-syslog/
https://www.splunk.com/blog/2017/03/30/syslog-ng-and-hec-scalable-aggregated-data-collection-in-splu...

0 Karma

markhill1
Path Finder

We are not. We are sending via a syslog-ng storebox, we are very aware of the right thing to do with syslog. Thanks.

0 Karma

woodcock
Esteemed Legend

OK, but that's not what you wrote at first. Good job on syslog-ng.

0 Karma

jibin1988
Path Finder

@markhill1 Do we have to remove the field from both syslog/HF and indexers?

@woodcock my sample logs looks like this :

< 14 >Feb 18 07:54:52 FWRY95-IT-RDC46-F1-WA-A10-01 1,2020/02/18 07:54:52,012501002982,TRAFFIC,drop,2049,2020/02/18 07:54:52,192.168.99.50,10.21.64.18,0.0.0.0,0.0.0.0,interzone-default,,,not-applicable,vsys1,Outside,FWasGW-2001,ae1.2000,,LOG-FOR,2020/02/18

At beginning of every log we can see the < 14 > is it somethig due to timestamps ?
Also fields are misaligned. I am not seeing any src_ip,dst_ip fields as well.

0 Karma

markhill1
Path Finder

Depends on your setup, but I would say anywhere that you have the TA deployed

Tags (1)
0 Karma

markhill1
Path Finder

Hi, Our log formats are fine, here is an example:
09:13:34,013201007069,TRAFFIC,drop,2049,2019/06/26 09:13:34,38.126.xx.xxx,103.230.xx.xxx,0.0.0.0,0.0.0.0,Rule 278 Blocklist incoming,,,not-applicable,vsys1,Public,DMZ2,ae1.53,,Log Forwarding All,2019/06/26 09:13:34,0,1,46092,443,0,0,0x0,tcp,deny,64,64,0,1,2019/06/26 09:13:34,0,any,0,6693140560823890604,0x8000000000000000,United States,Australia,0,1,0,policy-deny,11,0,0,0,,FW01,from-policy,,,0,,0,,N/A,0,0,0,0

We found that the 'future_state_1' field the TA introduces was shifting all the field names over one spot to the right.

0 Karma

panguy
Contributor

I'm not sure what you mean by "TA introduces". The TA does not add any fields to your logs. It looks for the default syslog format from the Firewall. If any fields are added it isn't being added by the TA.

0 Karma

markhill1
Path Finder

Correct, its just adds in the idea of that imaginary first field. Thus moving all the other fields one place to the right.

0 Karma

panguy
Contributor

By default the syslog server will prepend some data to the logs.

Did you add the no-parse flag to configuration on the syslog server?

Check out this guide on setting up syslog server and universal forwarder:
https://splunk.paloaltonetworks.com/universal-forwarder.html

0 Karma
Get Updates on the Splunk Community!

New Case Study Shows the Value of Partnering with Splunk Academic Alliance

The University of Nevada, Las Vegas (UNLV) is another premier research institution helping to shape the next ...

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...