search

criblpacks / cribl-palo-alto-networks

Process, reduce, and transform Palo Alto Networks Firewall logs.
Apache License 2.0
13 stars 7 forks source link

DECRYPTION logs improper sourcetype #19

Closed FusionFC closed 1 year ago

FusionFC commented 2 years ago

DECRYPTION logs should be sourcetype pan:decryption not pan:traffic

From the PA TA v7.0.4:

[pan_decryption]
DEST_KEY = MetaData:Sourcetype
REGEX = ^[^,]+,[^,]+,[^,]+,DECRYPTION,
FORMAT = sourcetype::pan:decryption