Getting Data In

Palo Alto App (CEF)

kphillipson
Path Finder

Any support for the Common Event Format (CEF)?

We have a requirement to send the logs out in the Common Event Format and the way the app is setup it is not recognizing it. I have changed some of the settings in the transforms.conf file to change the sourcetype on the log entries but the delimiting character is not the same and the fields are all out of sorts.

Has anyone already made these modifications to have the app work? Does the author of the application plan to include different types of formats?

Example:

Jan 31 01:11:11 192.168.1.1 CEF:0|Palo Alto Networks|PAN-OS|hostname|end|TRAFFIC|1|rt=$cefformatted-receive_time deviceExternalId=0002D01655 src=1.1.1.1 dst=2.2.2.2 sourceTranslatedAddress=1.1.1.1 destinationTranslatedAddress=3.3.3.3 cs1Label=Rule cs1=InternetDNS suser= duser= app=dns cs3Label=Virtual System cs3=vsys1 cs4Label=Source Zone cs4=InetRIP cs5Label=Destination Zone cs5=InternetDMZ deviceInboundInterface=ethernet10/20 deviceOutboundInterface=ethernet10/30 cs6Label=LogProfile cs6=Main Logging Profile cn1Label=SessionID cn1=261776 cnt=1 spt=18430 dpt=53 sourceTranslatedPort=18430 destinationTranslatedPort=53 flexString1Label=Flags flexString1=0x400000 proto=udp act=allow flexNumber1Label=Total bytes flexNumber1=84 cn2Label=Packets cn2=1 start=$cefformatted-time_generated cn3Label=Elapsed time in seconds cn3=0 cs2Label=URL Category cs2=any

Thanks,
Kyle

Tags (3)
0 Karma

monzy
Communicator

hello Kyle,

there is no plan to support the CEF format in this app. the app conforms to Splunk's common information model and it also conforms to PaloAlto's Syslog specification. you could create field aliases for misc fields in the CEF format. the app's dashboards and views will render appropriately.

splunk common information model: http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/UnderstandandusetheCommonInformationMod...

splunk field aliasing: http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Addaliasestofields

Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...