Why are all my PAN traffic logs appearing as if th...

cmiller_structu · ‎11-25-2014

For some reason, all the pan_traffic logs are showing up as happening in 2013 instead of 2014. System logs are showing the correct year. Any ideas?

martin_mueller · ‎11-25-2014

Define more precise timestamp extraction in the sourcetype. This should go into your_app/local/props.conf:

[pan_log]
TIME_FORMAT = %d %b %H:%M:%S
TIME_PREFIX = ^
MAX_TIMESTAMP_LOOKAHEAD = 16

Disclaimer: Didn't test these. Export a few events into a local file and drop them into the data preview, apply these settings, and see if the extraction works as desired.

Once it does, talk to the creators of the app to get this included in future releases.

cmiller_structu · ‎11-25-2014

okay I noticed that the system logs from .14 are showing up as happening in 2014, where as the system logs from .13 are showing up as happening in 2013... so it looks like it is using the last octet of the IP as the year.... now, how do I change that?

martin_mueller · ‎11-25-2014

Do correctly filed events (ie in 2014) have timestartpos and timeendpos?

Any warnings generated in index=_internal around the time wrongly filed events are indexed?

cmiller_structu · ‎11-25-2014

They do not have timestartpos and timeendpos, but the do have the correct date_year value (2014). Here is an example system log (a wildfire update) which has the correct date_year value extracted:

Nov 25 15:00:36 192.168.96.14 Nov 25 15:00:36 PA-Secondary.abc.abc.com 1,2014/11/25 15:00:36,0011C102389,SYSTEM,general,0,2014/11/25 15:00:36,,general,,0,0,general,informational,Wildfire package upgraded from version 45978-52637 to 45980-52639 by Auto update agent,12291,0x0

martin_mueller · ‎11-25-2014

Okay, so no year specified... in Splunk's search, pick one of these 2013-events and check the values for timestartpos and timeendpos. They should tell you where Splunk found the timestamp.

I'm guessing it found the 13 in the IP, if so it should be timestartpos=0 timeendpos=29 ish...

cmiller_structu · ‎11-25-2014

I don't see any values for timestartpos or timeendpos, but I do see a value (2013) in "date_year" under "_time". Note that these logs are stored in the pan_logs index created by the Splunk for Palo Alto Networks app.

etc>apps>SplunkforPaloAltoNetworks>local>inputs.conf:

[udp://1514]
index= pan_logs
connection_host = ip
sourcetype = pan_log
no_appending_timestamp = true

martin_mueller · ‎11-25-2014

Got a sample event?

cmiller_structu · ‎11-25-2014

won't let me paste a screenshot...

it looks something like this... but is showing up as 11/25/2013

Nov 25 15:00:37 192.168.96.13 Nov 25 15:00:37 PA-Primary.abc.abc.com 1,2014/11/25 15:00:36,0011C100738,TRAFFIC,end,1,2014/11/25 15:00:36,10.10.1.241,206.78.73.17,174.12.34.226,207.78.71.17,Trust to Untrust,,,dns,vsys1,Trust,Untrust,ethernet1/8,ethernet1/1.2,Splunk forward,2014/11/25 15:00:36,34007029,1,57746,53,18407,53,0x430819,udp,allow,281,98,183,2,2014/11/25 15:00:05,30,any,0,117735991,0x0,192.168.0.0-192.168.255.255,US,0,1,1

jotne · ‎02-06-2024

You should use the timestamp after the host name like this:

TIME_PREFIX = [^,]+,
MAX_TIMESTAMP_LOOKAHEAD = 30
TIME_FORMAT = %Y/%m/%d %H:%M:%S

This will pick this part, in bold:

Nov 25 15:00:37 192.168.96.13 Nov 25 15:00:37 PA-Primary.abc.abc.com 1,2014/11/25 15:00:36,0011C100738,TRAFFIC.....

Why are all my PAN traffic logs appearing as if they are a year old?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life