I have the 6.0.2 TA deployed per the instructions.
I'm receiving parsed logs for pan:threat, config, traffic, and system. I'm still receiving pan:log, which I believe should be parsing out to pan:hipmatch.
What may be the issue where some, but not all sourcetypes are being parsed out correctly?
Check your TA props.conf
- stanza TRANSFORMS-sourcetype
has config for pan_hipmatch and in your transforms.conf
you can verify the stanza [pan_hipmatch] and confirm the REGEX that would need to match your log source - if there it should route the log source to this particular sourcetype and parse accordingly..
Check your TA props.conf
- stanza TRANSFORMS-sourcetype
has config for pan_hipmatch and in your transforms.conf
you can verify the stanza [pan_hipmatch] and confirm the REGEX that would need to match your log source - if there it should route the log source to this particular sourcetype and parse accordingly..
You were correct. OOTB transforms.conf regex for hipmatch wasn't lining up with our log output. Had to tweak the regex. Thank you.