-
Notifications
You must be signed in to change notification settings - Fork 49
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Logs not being properly parsed when shipped from Panorama to Splunk #305
Comments
Adding on to this, I have the following questions:
|
🎉 Thanks for opening your first issue here! Welcome to the community! |
Any update on this? |
Haven't heard anything from anyone yet. Are you running into the same thing? |
Somewhat similar - having issues with events related to pan:firewall_cloud - but seems like no one from Palo has been responding to much of anything |
Just curious - is there a better method to get support or an actual reply for this? |
Not that I know of - very disappointing to not hear anything back at all |
I second that sentiment
Jeremy Wiley
678-852-5789
…________________________________
From: JeffW ***@***.***>
Sent: Wednesday, October 4, 2023 9:01:20 AM
To: PaloAltoNetworks/Splunk-Apps ***@***.***>
Cc: Subscribed ***@***.***>
Subject: Re: [PaloAltoNetworks/Splunk-Apps] Logs not being properly parsed when shipped from Panorama to Splunk (Issue #305)
Not that I know of - very disappointing to not hear anything back at all — Reply to this email directly, view it on GitHub [github. com], or unsubscribe [github. com]. You are receiving this because you are subscribed to this thread. Message
Not that I know of - very disappointing to not hear anything back at all
—
Reply to this email directly, view it on GitHub [github.com]<https://urldefense.com/v3/__https://github.com/PaloAltoNetworks/Splunk-Apps/issues/305*issuecomment-1746833000__;Iw!!MLsdJ25-fIk!umoavp_d04bPvLp8N19vumA4ZYsaerUBl8ADgtwPNv0cuVsIqtqFbUepuNf0Gm2FMdn6ol0jLe7JPwV6mgDDPf7bHJY$>, or unsubscribe [github.com]<https://urldefense.com/v3/__https://github.com/notifications/unsubscribe-auth/AU44XXPGSJVOAXNNKJK3J5TX5VM2BAVCNFSM6AAAAAA4DIBJU6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTONBWHAZTGMBQGA__;!!MLsdJ25-fIk!umoavp_d04bPvLp8N19vumA4ZYsaerUBl8ADgtwPNv0cuVsIqtqFbUepuNf0Gm2FMdn6ol0jLe7JPwV6mgDD2AgQpYI$>.
You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>
|
Describe the bug
Field extractions are not working properly on logs sent from Palo Alto Panorama v10.2.4-h4 to Splunk v9.0.2 with the Palo Alto app/add-on v8.1.0.
Expected behavior
Field extractions and transforms properly parse the data from the logs.
Current behavior
Field extraction are not working correctly. An example of this would be the word “deny” being assign to the transport field rather than the protocol of tcp, or udp, etc. Looking at the transforms.conf file of the add-on, I see the first field in many of the [extract_*] stanzas are defined as “future_use1” as shown below.
FIELDS="future_use1","receive_time","serial_number","log_type","log_subtype","version","generated_time","src_ip","dest_ip","src_translated_ip","dest_translated_ip","rule","src_user","dest_user","app","vsys","src_zone","dest_zone","src_interface","dest_interface","log_forwarding_profile","future_use3","session_id","repeat_count","src_port","dest_port","src_translated_port","dest_translated_port","session_flags","transport","action","misc","threat","raw_category","severity","direction","sequence_number","action_flags","src_location","dest_location","future_use4","content_type","pcap_id","file_hash","cloud_address","url_index","user_agent","file_type","xff","referrer","sender","subject","recipient","report_id","devicegroup_level1","devicegroup_level2","devicegroup_level3","devicegroup_level4","vsys_name","dvc_name","future_use5","src_vm","dest_vm","http_method","tunnel_id","tunnel_monitor_tag","tunnel_session_id","tunnel_start_time","tunnel_type","threat_category","content_version","future_use6"
Each event in the data I am receiving from my firewall begins with a timestamp which is the second field listed in the extraction. I removed “future_use1” from the globalprotect, threat, traffic, userid, correlation, hipmatch, system, and config extractions, and now they seem to be working better.
In conjunction with the above change, I also had to alter the regexes which set the sourcetype on my events. The default configuration looks like the following:
Since my data starts with the ”receive_time” field, it is necessary to change the regex to the following for the appropriate sourcetypes to be assigned.
REGEX = ^[^,]+,[^,]+,TRAFFIC,
Possible solution
Modify the regexes as noted above.
Steps to reproduce
Screenshots
n/a
Context
Trying to use data from our PA firewalls in order to set up reports and dashboards.
Your Environment
The text was updated successfully, but these errors were encountered: