Palo Alto firewall device (IPS and IDS only) is sending logs to rsyslog server and it gets saved in a directory. The logs from that directory is being ingested using syslog inputs from the path.
I have installed "PaloAlto for Networks Add-On" on Syslog servers which also acts as Heavy forwarder only (not on indexers as we are using Splunk Cloud). As I mentioned the sourcetype as "pan:log", Splunk have segregated the log as "pan:threat", "pan:system" and "pan:traffic". I believe the parsing of logs should happen on this HF.
But, I dont see any field extraction is happening. Only the sourcetype segregation is working. Without field extraction, it is tough to do analysis by Security Operation Center.
Should i consider about log format? The default log format is being used.
Does Field extraction work only after I install the Add-On on Splunk Cloud Search Head or Indexers? When Heavy Forwarder can parse the data, should I still install on Splunk Cloud?
For search time field extracteions, TAs normally need to be installed on the Search Heads to. Also the fact that you are using rsyslog might influence the logformat as syslog mostly puts a syslog header in the beginning of each log file, which means you need to modify syslog configuration or props/transforms.conf for this. But I guess first thing would be to install the TA on the Search Head and check if fields get extracted afterwards. Further more you can find info on what to install where over here : https://splunk.paloaltonetworks.com/installation.html
I have submitted a case to install this Add-On on Splunk Cloud Search head. But I am unsure how do we confirm if it is Search TIme or Index time field extraction. In my thought, the field extractions are configured on Heavy Forwarder in props.conf, so it should be index time field extraction.
If index time field extractions can happen on HF, the data should have been extracted, but it is not happening.