Hi,
I removed some settings which I made it earlier under our custom app for props.conf and transforms.conf for pan:log and pan:traffic. After I removed those settings, I am not able to get any logs in any source type. Could you please suggest, If I need to make those changes and this is how this app designed to work ?
we have custom app : AAA where we push props.conf and trasforms.conf
[dnb_PaloAlto_sourcetype_setting]
REGEX = ^\w+\s+\d+\s+\d+:\d+:\d+\s+(\w\w-\w+-panorama)
FORMAT = sourcetype::pan:log
DEST_KEY = MetaData:Sourcetype
[pan_traffic]
DEST_KEY = MetaData:Sourcetype
REGEX = ^[^,]+,[^,]+,[^,]+,TRAFFIC,
FORMAT = sourcetype::pan:traffic
TRANSFORMS-sub_sourcetype_PaloAlto
TRANSFORMS-sub_sourcetype_PaloAlto = pan_traffic
[pan_traffic]
rename = pan:traffic
[pan:traffic]
REPORT-search = extract_traffic
FIELDALIAS-app = app as application
FIELDALIAS-vsys = virtual_system as vsys
# Field Aliases to map specific fields to the Splunk Common Information Model - Network Traffic
EVAL-vendor_action = action
LOOKUP-vendor_action = pan_vendor_action_lookup vendor_action OUTPUT action
# bytes, bytes_in, bytes_out
FIELDALIAS-dest_for_pan_traffic = dest_ip as dest
FIELDALIAS-dvc_for_pan_traffic = host as dvc
FIELDALIAS-protocol_for_pan_traffic = protocol as vendor_protocol
FIELDALIAS-transport = protocol as transport
FIELDALIAS-src_for_pan_traffic = src_ip as src
FIELDALIAS-dest_category = category as dest_category
# Set user field
EVAL-user = coalesce(src_user,dest_user,"unknown")
# Determine client and server ip address based on direction of flow
# There is no direction field in traffic logs, so assume source is client
EVAL-server_ip = dest_ip
EVAL-client_ip = src_ip
# Determine client and server geo location based on direction of flow
# There is no direction field in traffic logs, so assume source is client
EVAL-server_location = dest_location
EVAL-client_location = src_location
LOOKUP-vendor_info_for_pan_config = pan_vendor_info_lookup sourcetype OUTPUT vendor,product,vendor_product
LOOKUP-pan_app = app_lookup app
# IP Classification based on ip_classification lookup table
# This lookup table can be modified by user to mark IP ranges,as serving specific purposes (eg. DMZ_Servers)
LOOKUP-src_class = classification_lookup cidr as src_ip OUTPUT classification as src_class
LOOKUP-dest_class = classification_lookup cidr as dest_ip OUTPUT classification as dest_class
LOOKUP-app_saas_class = sanctioned_saas_lookup app OUTPUT sanctioned_saas as app:is_sanctioned_saas
... View more