search

PaloAltoNetworks / Splunk-Apps

Palo Alto Networks App for Splunk leverages the data visibility provided by Palo Alto Networks next-generation firewalls and endpoint security with Splunk's extensive investigation and visualization capabilities to deliver an advanced security reporting and analysis tool.
https://pan.dev/splunk/docs/
ISC License
106 stars 49 forks source link

Filter out events for palo alto #91

Open devOPStremblant opened 5 years ago

devOPStremblant commented 5 years ago

Right now we get three types of values in future_use1 field the one which starts with <182> is a legitimate event and parses fine. However there are events which start with <180> or <179> and they dont work well because the data is about certificate validation error or some adhoc error.

PARSES

<182>Jun 3 18:16:02 XXXXXXX 18:16:01,012801097184,TRAFFIC,XXXXXXX DOESNT PARSE <180>Jun 3 17:35:56 XXXXXXX 17:35:56,012801097184,SYSTEM,XXXXXXXX dns-signature cloud service connection refused <179>Jun 3 17:35:53 XXXXXXX 17:35:53,012801097184,SYSTEM,XXXXXX Cloud Agent Server certificate validation failed. XXXXXXXX Reason: unable to get local issuer certificate" I think if the Transforms and props can be modified to null these data then it will be cleaner for us. Right now we have setup some validations to check field extractions and this is failing because of this anamoly
devOPStremblant commented 5 years ago

in short SYSTEM events are going into TRAFFIC sourcetype