arcsector
commented
4 months ago What does your data look like?
Open dchen-ae opened 5 months ago
arcsector
commented
4 months ago What does your data look like?
dchen-ae
commented
4 months ago Using UF from syslog server to Splunk Cloud.
Sample log
<14>Mar 19 16:53:03 PA-FW01 1,2024/03/19 16:53:03,123456789012,TRAFFIC,end,2562,2024/03/19 16:53:03,10.0.0.10,170.85.69.65,111.11.111.1,170.85.69.65,Internal-Out-App,,,zscaler-internet-access,vsys1,inside,outside,ae4,ae3,default,2024/03/19 16:53:03,2310425,1,57279,443,18228,443,0x44001c,tcp,allow,1044,562,482,9,2024/03/19 16:52:45,0,Category_Wildcard,,7332235240441019959,0x8000000000000000,10.0.0.0-10.255.255.255,United States,,5,4,tcp-fin,0,0,0,0,Internet-VSYS,INAP-PAFW01,from-policy,,,0,,0,,N/A,0,0,0,0,f221d4f3-299c-45ec-bfa8-87f40604b502,0,0,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,2024-03-19T16:53:03.857+00:00,,,proxy,networking,browser-based,1,has-known-vulnerability,,zscaler-internet-access,no,no,0
Describe the bug
PA firewall logs ingested in Splunk Cloud without field extractions.
Expected behavior
pan:firewall sourcetype should be transformed into pan:traffic, pan:threat, pan:system, pan:config with fields extracted
Current behavior
pan:firewall sourcetype is not being transformed and field extractions are not working in Splunk Cloud
Possible solution
If I send the logs from PA -> syslog server -> heavy forwarder -> Splunk Cloud then the logs get fields extracted. But sending directly from PA -> syslog server -> Splunk Cloud does not work. Fields are not extracted.
Fix PA addon to transform logs when indexed in Splunk Cloud
Steps to reproduce
Context
Would like to send the firewall logs directly to Splunk Cloud and remove the dependency on a heavy forwarder.
Your Environment
Splunk Cloud Version: 9.1.2308.203 Palo Alto Networks Add-on for Splunk: 8.1.1 syslog-ng: 4.6 PA firewall: 10.2.7-h3
Palo Alto - Syslog Server Profile Transport: TCP Port: 514 Format: BSD Facility: LOG_USER Custom Log Format: Default