Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

SC4S - PaloAlto logs not processed correctly

corti77
Contributor
‎02-01-2022 06:53 AM

Hi,

I am trying to configure PaloAlto logs via the Splunk Connect for Syslog.

I followed the instructions here 
https://splunk.github.io/splunk-connect-for-syslog/main/sources/PaloaltoNetworks/

I configured the syslog at PaloAlto according the instructions. I also c

I can see the syslog connections arriving to the host from the firewall using the command tcpdump port 514.

Add the following lines to splunk_metadata.csv

 

pan_config,index,test
pan_correlation,index,test
pan_globalprotect,index,test
pan_hipmatch,index,test
pan_log,index,test
pan_system,index,test
pan_threat,index,test
pan_traffic,index,test
pan_userid,index,test

 

 

 

And restart sc4s

 

systemctl restart sc4s

 

I checked the index test and it is empty. I enabled the debug by adding with the line in the env_file

 

SC4S_DEST_GLOBAL_ALTERNATES=d_hec_debug

 

and it seems like the index defined in the spplunk_metadata.csv is not taken, instead osnix is used.

 

curl -k -u "sc4s HEC debug:$SC4S_DEST_SPLUNK_HEC_DEFAULT_TOKEN" "https://splunk.XX.XXX.XXu:8088/services/collector/event" -d '{"time":"1643726324.000","sourcetype":"nix:syslog","source":"program:","index":"osnix","host":"atlas-fw-01.XXX.XX.XX","fields":{"sc4s_vendor_product":"nix_syslog","sc4s_syslog_severity":"info","sc4s_syslog_format":"rfc5424_strict","sc4s_syslog_facility":"user","sc4s_proto":"UDP","sc4s_loghost":"xxxxxxxxxx","sc4s_fromhostip":"192.168.10.100","sc4s_destport":"514","sc4s_container":"xxxxxxxx"},"event":"2022-02-01T14:38:44.000+00:00 atlas-fw-01.xxx.xxx.xxx - - - -  1,2022/02/01 15:38:43,011901021137,TRAFFIC,end,2561,2022/02/01 15:38:43,192.168.20.63,157.240.27.54,154.14.118.254,157.240.27.54,Normal traffic,xxx\\yyy,,quic,vsys1,Internal,External,ae1,ae2.6,Splunk,2022/02/01 15:38:43,113676,1,56081,443,49985,443,0x400019,udp,allow,7358,2250,5108,19,2022/02/01 15:36:43,0,any,,7030011678692056750,0x0,192.168.0.0-192.168.255.255,Germany,,7,12,aged-out,0,0,0,0,,atlas-fw-01,from-policy,,,0,,0,,N/A,0,0,0,0,c8250554-4ccd-46e3-8498-e74cfe9cdd10,0,0,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,2022-02-01T15:38:44.130+01:00,,,infrastructure,networking,browser-based,1,tunnel-other-application,,quic,no,no,0"}'

 

 I already check and the HEC token is allowed to index test.

Could someone tell me what is happening?

thanks

Labels (1)
Labels
0 Karma
Reply

corti77
Contributor
‎02-02-2022 03:24 AM

Hi,

I reply myself here for future reference, it might help others.

My issue was finally solved and it was due to the format PaloAlto produces the syslog events. to be compatible with SC4S, we need to configure PaloAlto to send the logs to port 601 in TCP and with the format EITF.

syslogPaloAlto.PNG

Then, in the SC4S host , you might need to open the flow in the local firewall , in my case it was firewalld.

firewall-cmd --permanent --add-port 601/tcp
firewall-cmd --runtime-to-permanent
firewall-cmd --reload

finally the lines in the splunk_metadata.csv, in my case to use a different index.
pan_traffic,index,pan_logs
pan_config,index,pan_logs
pan_correlation,index,pan_logs
pan_globalprotect,index,pan_logs
pan_hipmatch,index,pan_logs
pan_log,index,pan_logs
pan_system,index,pan_logs
pan_threat,index,pan_logs
pan_userid,index,pan_logs

and that is all. I hope it helps someone.

 

 

Reply

vader13
Explorer
2 weeks ago

Couldn't you just use 1601 or some other port?

0 Karma
Reply
Register for .conf25!
Get Updates on the Splunk Community!

Why You Can't Miss .conf25: Unleashing the Power of Agentic AI with Splunk & Cisco

The Defining Technology Movement of Our Lifetime The advent of agentic AI is arguably the defining technology ...

Deep Dive into Federated Analytics: Unlocking the Full Power of Your Security Data

In today’s complex digital landscape, security teams face increasing pressure to protect sprawling data across ...

Your summer travels continue with new course releases

Summer in the Northern hemisphere is in full swing, and is often a time to travel and explore. If your summer ...