We are wanting to cut down on the amount of data that is going to Splunk from our Palo Alto Firewalls. In order to do that, we want to trim the unnecessary data from the logs but still have it parse correctly in Splunk. When we create the custom log format it will no longer be recognized as PAN:Traffic, instead it is being parsed as PAN:Firewall. We used the custom format from Palo Altos website and included the commas where they were supposed to go. BTW this is configured on Panorama in syslog settings.
Before: From Palo Alto WebSite
FUTURE_USE, Receive Time, Serial Number, Type, Threat/Content Type, FUTURE_USE, Generated Time, Source Address, Destination Address, NAT Source IP, NAT Destination IP, Rule Name, Source User, Destination User, Application, Virtual System, Source Zone, Destination Zone, Inbound Interface, Outbound Interface, Log Action, FUTURE_USE, Session ID, Repeat Count, Source Port, Destination Port, NAT Source Port, NAT Destination Port, Flags, Protocol, Action, Bytes, Bytes Sent, Bytes Received, Packets, Start Time, Elapsed Time, Category, FUTURE_USE, Sequence Number, Action Flags, Source Location, Destination Location, FUTURE_USE, Packets Sent, Packets Received, Session End Reason, Device Group Hierarchy Level 1, Device Group Hierarchy Level 2, Device Group Hierarchy Level 3, Device Group Hierarchy Level 4, Virtual System Name, Device Name, Action Source, Source VM UUID, Destination VM UUID, Tunnel ID/IMSI, Monitor Tag/IMEI, Parent Session ID, Parent Start Time, Tunnel Type, SCTP Association ID, SCTP Chunks, SCTP Chunks Sent, SCTP Chunks Received, Rule UUID, HTTP/2 Connection, App Flap Count, Policy ID, Link Switches, SD-WAN Cluster, SD-WAN Device Type, SD-WAN Cluster Type, SD-WAN Site, Dynamic User Group Name
We have even captured packets and compared what we are getting with what is expected and they seem to match up. Not sure what is wrong, but would love some help. Not sure Palo Alto will help, though we did submit a ticket to them. Splunk closed my ticket because the APP is "Vendor Supported". Any advice on doing this or any other suggestions to how anyone else is doing Palo Alto logs?