Splunk Enterprise Security

Log Parsing is not happening for PaloAlto logs

Path Finder

Palo Alto firewall device (IPS and IDS only) is sending logs to rsyslog server and it gets saved in a directory. The logs from that directory is being ingested using syslog inputs from the path.

I have installed "PaloAlto for Networks Add-On" on Syslog servers which also acts as Heavy forwarder only (not on indexers as we are using Splunk Cloud). As I mentioned the sourcetype as "pan:log", Splunk have segregated the log as "pan:threat", "pan:system" and "pan:traffic". I believe the parsing of logs should happen on this HF.

But, I dont see any field extraction is happening. Only the sourcetype segregation is working. Without field extraction, it is tough to do analysis by Security Operation Center.

Should i consider about log format? The default log format is being used.

Does Field extraction work only after I install the Add-On on Splunk Cloud Search Head or Indexers? When Heavy Forwarder can parse the data, should I still install on Splunk Cloud?


For search time field extracteions, TAs normally need to be installed on the Search Heads to. Also the fact that you are using rsyslog might influence the logformat as syslog mostly puts a syslog header in the beginning of each log file, which means you need to modify syslog configuration or props/transforms.conf for this. But I guess first thing would be to install the TA on the Search Head and check if fields get extracted afterwards. Further more you can find info on what to install where over here : https://splunk.paloaltonetworks.com/installation.html

Path Finder

Hi jbrocks,

I have submitted a case to install this Add-On on Splunk Cloud Search head. But I am unsure how do we confirm if it is Search TIme or Index time field extraction. In my thought, the field extractions are configured on Heavy Forwarder in props.conf, so it should be index time field extraction.

If index time field extractions can happen on HF, the data should have been extracted, but it is not happening.

0 Karma

Path Finder

Forgot to mention that rsyslog format was checked and removed "date" and "host" details.. Now only the "message" details are being ingested.

The "Message" coming from PaloAlto to splunk could match the below field extraction but still it is not being parsed.

field extractions

DELIMS = ","
FIELDS = "future_use1","receive_time","serial_number","type","log_subtype","version","generated_time","vsys","event_id","object","future_use3","future_use4","module","severity","description","sequence_number","action_flags","devicegroup_level1","devicegroup_level2","devicegroup_level3","devicegroup_level4","vsys_name","dvc_name"

0 Karma

Path Finder

Hi @bsuresh1

I too have the same issue. I have installed the TA on HF but parsing is not happening. Only sourcetype is getting segregated. The logs are not getting parsed. Did you fix this issue?

0 Karma
Get Updates on the Splunk Community!

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...

Observability Highlights | January 2023 Newsletter

 January 2023New Product Releases Splunk Network Explorer for Infrastructure MonitoringSplunk unveils Network ...

Security Highlights | January 2023 Newsletter

January 2023 Splunk Security Essentials (SSE) 3.7.0 ReleaseThe free Splunk Security Essentials (SSE) 3.7.0 app ...