OK well I guess that can be done in some environments, but, I have a difficult enough time getting my network people to load balance one port on my syslog cluster. Multiple is not something we can do right now. Can the TA re-sourcetype url filtering logs? Maybe paloalto:urlfiltering ?
You can modify the index-time fields by regex matching for url logs and altering the sourcetype or index. This would be a configuration on your Splunk server using Splunk standard props.conf and transforms.conf. It wouldn't be added to the TA itself, just configured on your Splunk. Would that be preferable for your environment?
Yes. I think props & transforms are the way to do this. I'd love to see those props and transforms included in the TA in the ./default subfolder giving me the ability to enable them in ./local and then push the TA to my syslog heavies, via our deployment server.
Hello,
This is possible starting in PAN-OS 8.0 with the existing TA. Spunk separates logs into different indexes per data input. So you need to create a different data input with a different port for your URL log index, then on the firewall, configure URL logs to go to this new port.
Previous to PAN-OS 8.0 you could separate logs to different ports by severity only. But in 8.0 and higher you can separate logs by severity and type, so you can send just URL logs to a specific port tied to your URL log index.
-Brian