Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Palo Alto App (CEF)

kphillipson
Path Finder
‎01-16-2013 06:22 AM

Any support for the Common Event Format (CEF)?

We have a requirement to send the logs out in the Common Event Format and the way the app is setup it is not recognizing it. I have changed some of the settings in the transforms.conf file to change the sourcetype on the log entries but the delimiting character is not the same and the fields are all out of sorts.

Has anyone already made these modifications to have the app work? Does the author of the application plan to include different types of formats?

Example:

Jan 31 01:11:11 192.168.1.1 CEF:0|Palo Alto Networks|PAN-OS|hostname|end|TRAFFIC|1|rt=$cefformatted-receive_time deviceExternalId=0002D01655 src=1.1.1.1 dst=2.2.2.2 sourceTranslatedAddress=1.1.1.1 destinationTranslatedAddress=3.3.3.3 cs1Label=Rule cs1=InternetDNS suser= duser= app=dns cs3Label=Virtual System cs3=vsys1 cs4Label=Source Zone cs4=InetRIP cs5Label=Destination Zone cs5=InternetDMZ deviceInboundInterface=ethernet10/20 deviceOutboundInterface=ethernet10/30 cs6Label=LogProfile cs6=Main Logging Profile cn1Label=SessionID cn1=261776 cnt=1 spt=18430 dpt=53 sourceTranslatedPort=18430 destinationTranslatedPort=53 flexString1Label=Flags flexString1=0x400000 proto=udp act=allow flexNumber1Label=Total bytes flexNumber1=84 cn2Label=Packets cn2=1 start=$cefformatted-time_generated cn3Label=Elapsed time in seconds cn3=0 cs2Label=URL Category cs2=any

Thanks,
Kyle

Tags (3)
0 Karma
Reply

monzy
Communicator
‎01-30-2013 10:40 PM

hello Kyle,

there is no plan to support the CEF format in this app. the app conforms to Splunk's common information model and it also conforms to PaloAlto's Syslog specification. you could create field aliases for misc fields in the CEF format. the app's dashboards and views will render appropriately.

splunk common information model: http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/UnderstandandusetheCommonInformationMod...

splunk field aliasing: http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Addaliasestofields

Reply
Get Updates on the Splunk Community!

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...