Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Palo Alto Networks syslog: 1 host is ingested with incorrect date

manderson7
Contributor
‎08-28-2017 11:03 AM

Pretty weird situation here. Bringing in multiple palo alto syslog sources, all going to the same main syslog directory, then divvied up by host name, so /var/log/syslog/PaloAlto/host1/host1-PaloAlto.log, etc.

Host 1 is showing the correct date in the event that matches the log 

13:49:48,010108000857,TRAFFIC,end,1,2017/08/28 13:49:48,172.30.69.194,172.30.5.69,0.0.0.0,0.0.0.0,DC_Dea_Any,,,tanium,vsys3,DC_DEA_TRUSTED,DC_DEA_UNTRUSTED,ethernet6/4.1028,ethernet6/3.1028,Log_Fwd_PA-7050,2017/08/28 13:49:48,1343232963,1,54123,17472,0,0,0x5e,tcp,allow,3133,893,2240,14,2017/08/28 13:49:29,17,any,0,0,0x0,172.16.0.0-172.31.255.255,172.16.0.0-172.31.255.255,0,9,5,tcp-fin,43,0,0,0,DC-DEA,host1,from-policy  


8/28/17
1:49:48.010 PM

while host 2 is showing 

13:49:49,007801000317,TRAFFIC,end,0,2017/08/28 13:49:28,204.76.30.253,172.217.2.46,0.0.0.0,0.0.0.0,PUBLIC_TO_INTERNET,,,google-analytics,vsys10,IPS_IN,IPS_IN,ethernet1/1,ethernet1/1,Log_Fwd,2017/08/28 13:49:28,120421,1,57690,443,0,0,0x53,tcp,allow,6609,1706,4903,17,2017/08/28 13:46:38,168,computer-and-internet-info,0,31998418668,0x8000000000000000,United States,United States,0,9,8,tcp-fin,892,0,0,0,IPS_TEST,host2,from-policy,,,0,,0,,N/A

8/2/17
1:49:49.007 PM

We're uncertain how long this has been going on. I've added the following props for the sourcetype, but it's had no effect:

[pan:traffic]
DATETIME_CONFIG = 
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
TIME_FORMAT = %Y/%m/%d %H:%M:%S
TIME_PREFIX = \S+\,\S+\,\S+\,\S+\,\S+\,
category = Custom
pulldown_type = true
MAX_TIMESTAMP_LOOKAHEAD = 19

I tried it without the timestamp_lookahead, but no change. Any help here would be appreciated.

Reply

manderson7
Contributor
‎08-29-2017 06:36 AM

May have figured this out. Had another app, Splunk_TA_paloalto, adjusting the max_timestamp_lookahead to 44 (without the time prefix), which seems to be in the middle of the day in the date string. Have changed that to 50 and pushed it out. Crossing fingers.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...