PaloAlto GlobalProtect host extration issue

[Mosstrow]

Hello Team,

The HOST extraction based on the dvc_name field is not working for PaloAlto sourcetype "pan:globalprotect" when logs from Panorama.

Here is a sample where dvc_name is "DEVICENAME": 1,2023/11/09 16:39:28,007051000116377,GLOBALPROTECT,0,2561,2023/11/09 16:39:16,vsys1,gateway-logout,logout,,,domain\TEST,BE,WORKSTATION01,8.8.8.8,0.0.0.0,192.0.0.1,0.0.0.0,50873e27-b13d-41c0-a36d-e75ea6e165bc,5CG12351RB,5.2.12,Windows,"Microsoft Windows 10 Enterprise , 64-bit",1,,,"client logout",success,,1554,,0,TEST-GP-Gateway-Cert,7296070149277236848,0x8000000000000000,2023-11-09T16:39:17.223+01:00,,,,,,13,19,52,450,,DEVICENAME,1

Could this be linked to the fact that there is no parser in line 134 configuration for GlobalProtect? https://github.com/splunk/splunk-connect-for-syslog/blob/ffe639d033765a51f7b9842301c960250b71267f/package/etc/conf.d/conflib/syslog/app-syslog-pan_panos.conf#L134

Thanks

[ikheifets-splunk]

Hello, @Mosstrow ! As I understood correctly with need to enrich dvc_name for GLOBALPROTECT. Can you please send me a .pcap file with that log on my email ikheifets@splunk.com and I will make a Pull Request

[mstopa-splunk]

@Mosstrow this will be fixed by https://github.com/splunk/splunk-connect-for-syslog/pull/2322 . Before it's merged, feel free to test on ghcr.io/splunk/splunk-connect-for-syslog/container3:pr-2322 . I will also add your example to tests

[mstopa-splunk]

fix released in v.3.19.1