Hi,
Thanks for the feedback.
I know its best to use a SySLog server rather then sending directly. This is a test setup for 1 firewall.
I have enabled data acceleration and there still seems to be nothing in the app!
This is my eventtypes.conf:
[pan]
search = sourcetype=pan_ OR sourcetype=pan:*
[pan_firewall]
search = sourcetype=pan:traffic OR sourcetype=pan:threat OR sourcetype=pan:config OR sourcetype=pan:system OR sourcetyp$
tags = network
[pan_config]
search = sourcetype=pan_config OR sourcetype=pan:config
tags = change
[pan_traffic]
search = sourcetype=pan_traffic OR sourcetype=pan:traffic
tags = network communicate
[pan_traffic_start]
search = sourcetype=pan_traffic OR sourcetype=pan:traffic AND log_subtype="start"
tags = network session start
[pan_traffic_end]
search = sourcetype=pan_traffic OR sourcetype=pan:traffic AND log_subtype="end"
tags = network session end
[pan_system]
search = sourcetype=pan_system OR sourcetype=pan:system
tags = update status
[pan_threat]
search = sourcetype=pan_threat OR sourcetype=pan:threat AND log_subtype != "url" log_subtype != "file" log_subtype != "$
tags = ids attack
[pan_file]
search = sourcetype=pan_threat OR sourcetype=pan:threat AND log_subtype = "file"
tags = web
[pan_url]
search = sourcetype=pan_threat OR sourcetype=pan:threat AND log_subtype = "url"
tags = web
[pan_data]
search = sourcetype=pan_threat OR sourcetype=pan:threat AND log_subtype = "data"
tags = web*
... View more