Getting Data In

How to handle multiple timezone when getting the paloalto firewall logs in?

Iris_Pi
Path Finder

Hello Guys,

We have paloalto firewalls with different timezone settings. For the ones which is not in the same timezone as Splunk, their logs will be considered as the logs of the future and hence cannot be searched in Splunk in a timely manner.

I cannot fix it by specifying timezone for the source types provided by the paloalto TA, since it cannot fulfill multiple time zones at the same time.

I wonder if you have experienced the similar problem, if yes, would you please share your experience on handling this kind of issue?

Thanks much for your help in advance!

Regards,
Iris

Labels (1)
0 Karma

Iris_Pi
Path Finder

My problem was solved by creating a private app with a customized props.conf file, which defines different TZ for different hosts like showed as below:

[host::hostA]
TZ = xxx

[host::hostB]
TZ = xxx

0 Karma

KendallW
Contributor

Hi @Iris_Pi would it be feasible to specify the time zone using source stanzas in props.conf instead of sourcetype in this case? [source::] takes precedence over [<sourcetype>] in props.conf. 

 

Iris_Pi
Path Finder

Hello @KendallW,

Can you please help on a follow up question? In my case, I'm using HEC to get the logs in, the "source::" spec cannot distinguish the firewalls, can I use "host::" instead?

0 Karma

KendallW
Contributor

Hi @Iris_Pi , yes, as per the documentation:

For settings that are specified in multiple categories of matching [<spec>]
stanzas, [host::<host>] settings override [<sourcetype>] settings.
Additionally, [source::<source>] settings override both [host::<host>]
and [<sourcetype>] settings.

 

PickleRick
SplunkTrust
SplunkTrust

One caveat though - the host field might be being parsed out from the raw message during ingestion. In such case you can't use it for specifying props stanza.

0 Karma

Iris_Pi
Path Finder

Thanks much for your reply!
I'm checking with the support if they can help to set props.conf on the backend, since we are using splunk cloud.

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...