Palo Alto Networks TCP (PAN-OS v9+) input not parsing VendorFields.VENDOR_PRIVATE_IP, field is either NOT present when it should be or contains 0.0.0.0
Initially investigating why pan_event_name: gateway-getconfig is not parsing the virtual ip (IP handed out by Global Protect gateway, internal IP used on that network).
Palo Alto Networks TCP (PAN-OS v9+) input not parsing
VendorFields.VENDOR_PRIVATE_IP
, field is either NOT present when it should be or contains 0.0.0.0Initially investigating why pan_event_name: gateway-getconfig is not parsing the virtual ip (IP handed out by Global Protect gateway, internal IP used on that network).
Looking at the mappings via https://github.com/Graylog2/graylog2-server/blob/master/graylog2-server/src/main/java/org/graylog/integrations/inputs/paloalto9/PaloAlto9xTemplates.java#L242 and comparing to the comma separated message, the fields line up correctly, the data is in the message, so it is unclear why its not being parsed.
Expected Behavior
VENDOR_PRIVATE_IP is parsed from the palo alto log message
Current Behavior
VENDOR_PRIVATE_IP is either missing from message it should exist for, OR VENDOR_PRIVATE_IP only has 0.0.0.0
Possible Solution
Steps to Reproduce (for bugs)
1. 2. 3. 4.
Context
This is related to a deal we're working on closing and is very important for tracking users/devices against their virtual IP.
Your Environment