Hi, I am trying to configure PaloAlto logs via the Splunk Connect for Syslog. I followed the instructions here https://splunk.github.io/splunk-connect-for-syslog/main/sources/PaloaltoNetworks/ I...
See more...
Hi, I am trying to configure PaloAlto logs via the Splunk Connect for Syslog. I followed the instructions here https://splunk.github.io/splunk-connect-for-syslog/main/sources/PaloaltoNetworks/ I configured the syslog at PaloAlto according the instructions. I also c I can see the syslog connections arriving to the host from the firewall using the command tcpdump port 514. Add the following lines to splunk_metadata.csv pan_config,index,test
pan_correlation,index,test
pan_globalprotect,index,test
pan_hipmatch,index,test
pan_log,index,test
pan_system,index,test
pan_threat,index,test
pan_traffic,index,test
pan_userid,index,test And restart sc4s systemctl restart sc4s I checked the index test and it is empty. I enabled the debug by adding with the line in the env_file SC4S_DEST_GLOBAL_ALTERNATES=d_hec_debug and it seems like the index defined in the spplunk_metadata.csv is not taken, instead osnix is used. curl -k -u "sc4s HEC debug:$SC4S_DEST_SPLUNK_HEC_DEFAULT_TOKEN" "https://splunk.XX.XXX.XXu:8088/services/collector/event" -d '{"time":"1643726324.000","sourcetype":"nix:syslog","source":"program:","index":"osnix","host":"atlas-fw-01.XXX.XX.XX","fields":{"sc4s_vendor_product":"nix_syslog","sc4s_syslog_severity":"info","sc4s_syslog_format":"rfc5424_strict","sc4s_syslog_facility":"user","sc4s_proto":"UDP","sc4s_loghost":"xxxxxxxxxx","sc4s_fromhostip":"192.168.10.100","sc4s_destport":"514","sc4s_container":"xxxxxxxx"},"event":"2022-02-01T14:38:44.000+00:00 atlas-fw-01.xxx.xxx.xxx - - - - 1,2022/02/01 15:38:43,011901021137,TRAFFIC,end,2561,2022/02/01 15:38:43,192.168.20.63,157.240.27.54,154.14.118.254,157.240.27.54,Normal traffic,xxx\\yyy,,quic,vsys1,Internal,External,ae1,ae2.6,Splunk,2022/02/01 15:38:43,113676,1,56081,443,49985,443,0x400019,udp,allow,7358,2250,5108,19,2022/02/01 15:36:43,0,any,,7030011678692056750,0x0,192.168.0.0-192.168.255.255,Germany,,7,12,aged-out,0,0,0,0,,atlas-fw-01,from-policy,,,0,,0,,N/A,0,0,0,0,c8250554-4ccd-46e3-8498-e74cfe9cdd10,0,0,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,2022-02-01T15:38:44.130+01:00,,,infrastructure,networking,browser-based,1,tunnel-other-application,,quic,no,no,0"}' I already check and the HEC token is allowed to index test. Could someone tell me what is happening? thanks