Hi Rich,
Follows the event log:
Apr 22 14:00:57 192.168.x.x 1,2019/04/22 14:00:57,001801010915,THREAT,spyware,2049,2019/04/22 14:00:57,192.168.X.X,74.125.X.X,179.191.X.X,74.125.X.X,EXIT_INTERNET,unknown,,ssl,vsys1,INTER,MUNDI,ethernet1/3.168,ethernet1/4.179,LOG-FORWARD-SPLUNK,2019/04/22 14:00:57,147775,1,51631,443,51644,443,0x423000,tcp,alert,"fonts.gstatic.com/",Suspicious TLS Evasion Found(14978),computer-and-internet-info,informational,client-to-server,73291901,0x2000000000000000,XX,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,FW-XX,PA-XXXX-XXX,,,,,0,,0,,N/A,spyware,AppThreat-8144-5408,0x0,0,4294967295,
host = 192.168.X.X source = udp:5514 sourcetype = pan:threat
My current props and transforms settings:
(1) props.conf file
[pan:log]
TRANSFORMS-drop = discard-nolog
(2) transforms.conf
[discard-nolog]
REGEX = informational.*xlog
DEST_KEY = queue
FORMAT = nullQueue
But this is not working! Not reject informational logs.
Thank you for your help.
... View more