Hello All, We are unable to get the Palo Alto Add-on and App to parse the incoming syslog traffic correctly. The environment we are in prevents us from setting up the syslog-ng.conf exactly as the instructions have listed. We are trying to see if the modification that we have to make is causing the issues with the Add-on and App. The following will show what the instructions call for in the inputs and outputs; while I'll provide what we would have in place. Palo Alto Instructions: Under "Destinations" specify a .log file destination: destination d_udp514 { file("/YOURPATH/udp514.log" template("${MSG}\n")); }; Our Destinations: destination d_5400-A058-PaloAlto { file("/var/log/syslog-ng/PaloAlto.5400-A058.$YEAR.$MONTH.$DAY.log" owner("root") group("root") perm(0644)); }; destination d_5400-B170-PaloAlto { file("/var/log/syslog-ng/PaloAlto.5400-B170.$YEAR.$MONTH.$DAY.log" owner("root") group("root") perm(0644)); }; destination d_5400-PA220-PaloAlto { file("/var/log/syslog-ng/PaloAlto.5400-PA220.$YEAR.$MONTH.$DAY.log" owner("root") group("root") perm(0644)); }; ********************************* Palo Alto Instructions: Create or modify /opt/splunkforwarder/etc/system/local/inputs.conf and add a monitoring stanza: [monitor:///YOURPATH/udp514.log] sourcetype = pan:log Our inputs (using HF instead of UF): [monitor:///var/log/syslog-ng/PaloAlto.5400-A058.$YEAR.$MONTH.$DAY.log] sourcetype = pan:log *** Did not work, so used below *** [monitor:///var/log/syslog-ng()/PaloAlto*.log] sourcetype = pan:log
... View more