Splunk Search

How to filter out Informational logs from Palo Alto

cesarfabre
Explorer

Hi there,

I am trying to filter out Information logs from Palo Alto Firewall using REGEX with props e transforms.conf but it is not working.

Help me with the correct REGEX.

Thanks a lot!
César

0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

Try this.

props.conf file

[pan:log]
TRANSFORMS-drop = discard-nolog, discard-info

transforms.conf

[discard-nolog]
REGEX = TRAFFIC.*xlog
DEST_KEY = queue
FORMAT = nullQueue

[discard-info]
REGEX = ,informational,
DEST_KEY = queue
FORMAT = nullQueue
---
If this reply helps you, an upvote would be appreciated.

View solution in original post

lakshman239
SplunkTrust
SplunkTrust

If you are getting the PA logs via syslog, you can add a rule in your syslog [ rsyslog/syslog-ng] to allow only TRAFIC and THREAT logs and hence you can dispense the props/transforms changes.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Try this.

props.conf file

[pan:log]
TRANSFORMS-drop = discard-nolog, discard-info

transforms.conf

[discard-nolog]
REGEX = TRAFFIC.*xlog
DEST_KEY = queue
FORMAT = nullQueue

[discard-info]
REGEX = ,informational,
DEST_KEY = queue
FORMAT = nullQueue
---
If this reply helps you, an upvote would be appreciated.

View solution in original post

cesarfabre
Explorer

Hi Rich,

I'm very happy, it worked.

Now I will configure the email to send alerts when critical events occur.

Thanks a lot!

0 Karma

richgalloway
SplunkTrust
SplunkTrust

@cesarfabre Please accept the answer to help future readers.

---
If this reply helps you, an upvote would be appreciated.
0 Karma

cesarfabre
Explorer

@richgalloway I accepted!!!

Tks

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Please provide some sample events (hide private data) and your current props and transforms settings.

---
If this reply helps you, an upvote would be appreciated.
0 Karma

cesarfabre
Explorer

Hi Rich,

Follows the event log:

Apr 22 14:00:57 192.168.x.x 1,2019/04/22 14:00:57,001801010915,THREAT,spyware,2049,2019/04/22 14:00:57,192.168.X.X,74.125.X.X,179.191.X.X,74.125.X.X,EXIT_INTERNET,unknown,,ssl,vsys1,INTER,MUNDI,ethernet1/3.168,ethernet1/4.179,LOG-FORWARD-SPLUNK,2019/04/22 14:00:57,147775,1,51631,443,51644,443,0x423000,tcp,alert,"fonts.gstatic.com/",Suspicious TLS Evasion Found(14978),computer-and-internet-info,informational,client-to-server,73291901,0x2000000000000000,XX,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,FW-XX,PA-XXXX-XXX,,,,,0,,0,,N/A,spyware,AppThreat-8144-5408,0x0,0,4294967295,
host = 192.168.X.X source = udp:5514 sourcetype = pan:threat

My current props and transforms settings:

(1) props.conf file
[pan:log]
TRANSFORMS-drop = discard-nolog

(2) transforms.conf
[discard-nolog]
REGEX = informational.*xlog
DEST_KEY = queue
FORMAT = nullQueue

But this is not working! Not reject informational logs.

Thank you for your help.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

The REGEX attribute does not match the sample event. For an event to be rejected it must contain the two strings "informational" and "xlog" with any number of characters between them. The sample event does not contain "xlog".

---
If this reply helps you, an upvote would be appreciated.
0 Karma

cesarfabre
Explorer

Hi Rich,

Sorry, I made a mistake. As I'm indexing the Palo Alto logs I would like support in editing the props and transforms.conf files.

My current props and transforms settings is working well with TRAFFIC filter. See:

(1) props.conf file
[pan:log]
TRANSFORMS-drop = discard-nolog

(2) transforms.conf
[discard-nolog]
REGEX = TRAFFIC.*xlog
DEST_KEY = queue
FORMAT = nullQueue

Now I would like to also filter informational logs from Palo Alto. So, how is the REGEX for this new filter?

Thanks a lot for your help!

César

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!