Wrong timestamp Palo Alto

norbertt911 · ‎11-06-2020

Dear Splunkers,

Sorry about this, but I never did such thing before...

My Splunk is in EU and now I added PaloAlto firewall logs (collected by a Syslog and UF pushing them to Splunk) from AUS.

The timestamping is wrong.

First of all the today's events (11/06) are indexed on11th of Jun (06/11). On the top, it is indexed two hours ahead than the current time.

now the events look like this :

11/06/2020
13:45:43.000

06-11-2020 21:45:43 User.Info 10.180.160.41 Nov 6 21:45:43 Firewall.device.name 1, ..........................................................

I'm using the Palo Alto add-on default for the source type, just the time zone changed to Sydney. (Timestamp prefix : ^(?:[^,]*,){5} ; Lookahead 100)

Could you please advise what I should do? (what will happen if I will have the same source type logs to the same index but from a different timezone? )

Regards,

Norbert

inventsekar · ‎11-06-2020

Hi @norbertt911 the props.conf setting on timestamp recognition got some issues. Can you copy paste your props/transforms here(after hiding the hostname values)

norbertt911 · ‎11-06-2020

Meanwhile, I found it 🙂

The Palo alto add-on permission was limited to the app, not Global. So if I search in Paloalto app it is ok, but that strange behavior in the default Search app.

Only the "bonus" question left. What will happen if I will have the same source type but from a different time zone? I should clone the original pan:log source type with a different time zone setting and add this new source type to props/transforms.conf?

Wrong timestamp Palo Alto

props.conf

sourcetype

Observability Newsletter Highlights | March 2023

Security Newsletter Updates | March 2023

Platform Newsletter Highlights | March 2023