BenTan,
Thanks for taking the time to answer my question. I have 8 firewalls that are in 4 different time zones.
I will only focus on one for now...
raw event
Jan 2 08:40:09 CSG2-MAIN-FW1 1,2018/01/02 08:40:08,011901000724,TRAFFIC,end,1,2018/01/02 08:40:08,10.3.0.63,8.8.8.8,216.85.221.10,8.8.8.8,Standard Outbound Apps,,,ping,vsys1,Trust,Untrust,ethernet1/1,ethernet1/4,Panorama,2018/01/02 08:40:08,149453,6,0,0,0,0,0x500019,icmp,allow,1176,588,588,12,2018/01/02 08:39:57,0,any,0,275058159,0x0,10.0.0.0-10.255.255.255,United States,0,6,6,aged-out,213,0,0,0,,CSG2-MAIN-FW1,from-policy,,,0,,0,,N/A
Since these are all going to a syslog server, I cannot use the host stanza, so I was going to use the source stanza.
The source is:
/opt/syslog-ng/palo_alto/CSG2-MAIN-FW1/2018-01-02/messages.txt
I tried:
[ source::*CSG2-MAIN-FW1* ]
TZ = PST
but it did not work
I tried:
[source::.../opt/syslog-ng/palo_alto/CSG2-MAIN-FW1/*]
TZ = PST
but it did not work
I am making the changes to props.conf located in:
/opt/splunk/etc/apps/Splunk_TA_paloalto/default
... View more