Hi Rich,

I'm very happy, it worked.

Now I will configure the email to send alerts when critical events occur.

Thanks a lot!

@cesarfabre Please accept the answer to help future readers.

@richgalloway I accepted!!!

Tks

Hi Rich,

Follows the event log:

Apr 22 14:00:57 192.168.x.x 1,2019/04/22 14:00:57,001801010915,THREAT,spyware,2049,2019/04/22 14:00:57,192.168.X.X,74.125.X.X,179.191.X.X,74.125.X.X,EXIT_INTERNET,unknown,,ssl,vsys1,INTER,MUNDI,ethernet1/3.168,ethernet1/4.179,LOG-FORWARD-SPLUNK,2019/04/22 14:00:57,147775,1,51631,443,51644,443,0x423000,tcp,alert,"fonts.gstatic.com/",Suspicious TLS Evasion Found(14978),computer-and-internet-info,informational,client-to-server,73291901,0x2000000000000000,XX,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,FW-XX,PA-XXXX-XXX,,,,,0,,0,,N/A,spyware,AppThreat-8144-5408,0x0,0,4294967295,
host = 192.168.X.X source = udp:5514 sourcetype = pan:threat

My current props and transforms settings:

(1) props.conf file
[pan:log]
TRANSFORMS-drop = discard-nolog

(2) transforms.conf
[discard-nolog]
REGEX = informational.*xlog
DEST_KEY = queue
FORMAT = nullQueue

But this is not working! Not reject informational logs.

Thank you for your help.

The REGEX attribute does not match the sample event. For an event to be rejected it must contain the two strings "informational" and "xlog" with any number of characters between them. The sample event does not contain "xlog".

Hi Rich,

Sorry, I made a mistake. As I'm indexing the Palo Alto logs I would like support in editing the props and transforms.conf files.

My current props and transforms settings is working well with TRAFFIC filter. See:

(1) props.conf file
[pan:log]
TRANSFORMS-drop = discard-nolog

(2) transforms.conf
[discard-nolog]
REGEX = TRAFFIC.*xlog
DEST_KEY = queue
FORMAT = nullQueue

Now I would like to also filter informational logs from Palo Alto. So, how is the REGEX for this new filter?

Thanks a lot for your help!

César