Some Palo Alto Logs not working

[fpunzohig]

Hello,

We are successfully receiving some of our logs through SC4S but some logs are not showing up in Splunk. Currently, we are successfully receiving the following logs: System -> pan:system Configuration -> pan:config HIP Match -> pan:hipmatch Traffic -> pan:traffic Threat -> pan:threat

We are currently sending the following logs but they are not being forwarded to Splunk:

URL - https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/monitoring/view-and-manage-logs/log-types-and-severity-levels/url-filtering-logs WildFire - https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/monitoring/view-and-manage-logs/log-types-and-severity-levels/wildfire-submissions-logs Authentication - https://docs.paloaltonetworks.com/cortex/cortex-data-lake/log-forwarding-schema-reference/network-logs/network-authentication-log#:~:text=Auth%20logs%20contain%20information%20about%20authentication%20events%20seen,associated%20firewalls%20are%20not%20configured%20with%20authentication%20policies. User-ID - https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/monitoring/view-and-manage-logs/log-types-and-severity-levels/user-id-logs Decryption - https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/decryption/troubleshoot-and-monitor-decryption/decryption-logs

env_file: SC4S_DEST_SPLUNK_HEC_DEFAULT_URL=https://obfuscated:443 SC4S_DEST_SPLUNK_HEC_DEFAULT_TOKEN=obfuscated

Uncomment the following line if using untrusted SSL certificates

SC4S_DEST_SPLUNK_HEC_DEFAULT_TLS_VERIFY=no

splunk_metadata.csv: pan_panos_config,index,pan_logs pan_panos_correlation,index,pan_logs pan_panos_globalprotect,index,pan_logs pan_panos_hipmatch,index,pan_logs pan_panos_log,index,pan_logs pan_panos_system,index,pan_logs pan_panos_threat,index,pan_logs pan_panos_traffic,index,pan_logs nix_syslog,index,aws_osnix

Can you please provide some suggestion for how we can get those logs ingested through SC4S into Splunk?

[rjha-splunk]

It is enhancement request , for now enable sc4s fallback catch and write a parser to override the sourcetype.

[rjha-splunk]

Can you please share the pcap file using support ticket , we will work on enhancing it, can be mentioned in the ticket this github issue.

[fpunzohig]

Working on this. Will post shortly.

[fpunzohig]

@rjha-splunk can you provide an email address for me to send the pcap file? My company doesn't allow posting company data publically.

[fpunzohig]

@rjha-splunk I am also trying to have our Splunk Support Engineer (Splunk employee) forward you the pcap file via email. I asked him to look up your email address.

[fpunzohig]

@rjha-splunk I verified with our Splunk Support Engineer (Splunk employee) that he sent you the pcap file you requested. Please post here if you need any other information.

[rjha-splunk]

I confirm that we received and it is added to our sprint, i will post you by friday if i will have any questions.

[rjha-splunk]

Hi Today i reviewed the pcap shared and it has only few messages and all are coming to splunk as panos:log , please add following entry as well in splunk_metadata.csv to redirect the traffic:

pan_panos,index,pan_logs and restart sc4s , i also suggest sending more pcaps and marking which pcap is for which log type.

[fpunzohig]

The logs with "DECRYPTION" in them are the logs we were trying to add. After I followed your suggestion and added pan_panos,index,pan_logs to splunk_metadata.csv, I am now seeing our "DECRYPTION" logs coming into the pan_logs index.

[mstopa-splunk]

@fpunzohig a filter fix for DECRYPTION will be added in https://github.com/splunk/splunk-connect-for-syslog/pull/2322 . Before it's merged, feel free to test on ghcr.io/splunk/splunk-connect-for-syslog/container3:pr-2322

[mstopa-splunk]

fix released in v.3.19.1