Hello,
I'd like to hear your input on the following issue.
We are trying to index events from our Palo Alto firewalls. The firewalls forward the logs to a Panorama, the Panorama sends the logs to a syslog collector which puts them to a folder with the name of the sending device (the Panorama). Our universal forwarder (UF) is monitoring the syslog collector and for every file monitored, it sets the host as the name of the folder it is in and the source type pan:log. The result is that all our logs (from all the firewalls and the Panorama) are indexed with the MetaData:Host of the Panorama. So we want to rename the MetaData:Host with the value from the raw event (every log contains the hostname of the device that generated it), but we are having a hard time doing that.
The problem is that there are 4 types of logs (traffic, threat, system, config) that leave the UF with the same sourcetype (pan:log). We cannot extract the hostname with a simple regex from this sourcetype because each type of log has the hostname in a different place.
The Palo Alto Add-On (we have version 6.0.2) has the task of renaming the source type based on the event (from pan:logs to pan:traffic, pan:threat, pan:system and pan:config). It would be really easy to put a transform on these source types but we can't do that because the events cannot pass twice through the parsing queue.
The only options I can think of are the following:
—Put a transform on pan:log with a really complex regex that extracts the hostname based on the log type
—Customize the logs to have the hostname in the same place and extract them with a simple regex. (But in this case we would have to modify the extracts and also customize the logs for every new firewall that we get).
Anybody out there that know a better solution that the ones stated above?
Thank you.
... View more