Palo Alto app not parsing the sourcetype

ccsfdave · ‎03-07-2016

I can see the Palo Alto data coming into the Heavy Forwarder, into the /var/log/syslog/ngf01 (and ngf02). On the Search Head I see how the sourcetype should be extracted in: /opt/splunk/etc/apps/Splunk_TA_paloalto/default/transforms.conf but nothing is extracted and thus none of the Palo Alto data is extracted, it just comes in raw into the index = pan_logs but all the data goes to the sourcetype=pan and thus extractions of fields downstream of that do not work

I would expect minimum sourcetypes of pan_threat, pan_traffic, pan_system, pan_config

ccsfdave · ‎02-12-2020

@jibin1988 Hit me up on Slack or post your specific question, I may be able to help. This Answers is approaching 4y old so I am sure what issues I had are behind me.

jibin1988 · ‎02-17-2020

@ccsfdave please let me know your slack id. request you to ping on slack j.sebastian@obrela.com

ccsfdave · ‎03-08-2016

Hmm, unless I am looking at the wrong inputs.conf (/opt/splunk/etc/apps/SplunkforPaloAltoNetworks/local/inputs.conf) below is what I have in there on my heavy forwarder:

[udp://514]
sourcetype = pan:log
no_appending_timestamp = true

ccsfdave · ‎03-08-2016

shoot, in

/opt/splunk/etc/apps/sf_syslog_inputs/local/inputs.conf

I had:
[monitor:///var/log/syslog/ngf0*/*.log]
index = pan_logs
sourcetype = pan
no_appending_timestamp = true
host_segment = 4

Which I have now changed to pan_logs and bounced the Fwdr. Let's see what happens

jibin1988 · ‎02-12-2020

@ccsfdave You got it fixed? I have the same issue. palo alto logs are not getting parsed with TA.
can you please update if you got it fixed?

ccsfdave · ‎03-07-2016

Ya, I have the TA installed as per the installation instructions. I tried to follow them to a T but have been known to be spacey

maciep · ‎03-07-2016

I just took a quick peek at the TA, and it looks like it expects the initial sourcetype to be pan_log (or pan:log). Are you setting yours to just pan in your inputs? That might explain why it's not getting processed correctly

[pan_log]
rename = pan:log
pulldown_type = false
# This first line adjusts PAN-OS 6.1.0 threat logs to revised 6.1.1+ format where the reportid field is at the end.
SEDCMD-6_1_0 = s/^((?:[^,]+,){3}THREAT,(?:[^,]*,){27}".*",[^,]*,)(\d+),((?:[^,]*,){3})(\d+,0x\d+,(?:[^,]*,){14})$/\1\3\4,\2/
TRANSFORMS-sourcetype = pan_threat, pan_traffic, pan_system, pan_config, pan_hipmatch, pan_endpoint
SHOULD_LINEMERGE = false
MAX_TIMESTAMP_LOOKAHEAD = 44

[pan:log]
category = Network & Security
description = Output produced by the Palo Alto Networks Next-generation Firewall and Traps Endpoint Security Manager
pulldown_type = true
# This first line adjusts PAN-OS 6.1.0 threat logs to revised 6.1.1+ format where the reportid field is at the end.
SEDCMD-6_1_0 = s/^((?:[^,]+,){3}THREAT,(?:[^,]*,){27}".*",[^,]*,)(\d+),((?:[^,]*,){3})(\d+,0x\d+,(?:[^,]*,){14})$/\1\3\4,\2/
SHOULD_LINEMERGE = false
MAX_TIMESTAMP_LOOKAHEAD = 44
TRANSFORMS-sourcetype = pan_threat, pan_traffic, pan_system, pan_config, pan_hipmatch, pan_endpoint

maciep · ‎03-07-2016

Do you have the Splunk_TA_paloalto add-on installed on the heavy forwarder as well? That's where the sourcetype parsing needs to happen in your scenario.

Palo Alto app not parsing the sourcetype

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes