Splunk-Apps icon indicating copy to clipboard operation
Splunk-Apps copied to clipboard
verified publisher icon PaloAltoNetworks

When configured to send before/after config change details, logs lose CONFIG so sourcetype changes from pan:config to pan:log

Open greggwoodcock opened this issue 6 years ago • 5 comments

We cannot be the first person to mention that we need this and that it does not work currently. I believe that the problem is really in the PAN network device, not in anything in Splunk (not really in this TA). Normally the logs look like this:

Apr 22 08:17:35 hostname <14>Apr 22 08:17:36 Panorama.Company 1,2019/04/22 08:17:33,000702756019,CONFIG,0,0,2019/04/22 08:17:33,192.168.131.45,,edit,username,Web,Succeeded, device-group Tulsa post-rulebase security rules TESTMFA-Portal,6614208996859446026,0x0,0,0,0,0,,Panorama

After the server is updated to send before/after changes, the logs lose ",CONFIG," and look completely different, so they do not process correctly, and look like this:

Apr 22 14:37:05 hostname <14>Apr 22 14:37:06 Panorama.Company 0x0 username TESTMFA-Portal { action deny; } TESTMFA-Portal { action allow; } Web edit Panorama 0 0 0 2019/04/22 14:37:06 192.168.131.45 0 2019/04/22 14:37:06 Succeeded 6614208996859446058 000702756019

greggwoodcock avatar Apr 24 '19 06:04 greggwoodcock

Hello @greggwoodcock,

Agreed, it will not parse correctly without ,CONFIG,. Let us look into this and get back to you.

-Brian

btorresgil avatar Apr 24 '19 17:04 btorresgil

Thank you, Brian! We have a highly motivated PAN user, Cimarex, who would probably be willing to work as alpha/beta test for this work (key people added CC). This is a high-priority deliverable for security mandate there and we are pretty much hung up at this point, without your help to fix it at the origination point (there is really not enough punctuation/schema for us to exploit).

On Wed, Apr 24, 2019 at 10:31 AM Brian Torres-Gil [email protected] wrote:

Hello @greggwoodcock https://github.com/greggwoodcock,

Agreed, it will not parse correctly without ,CONFIG,. Let us look into this and get back to you.

-Brian

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/PaloAltoNetworks/Splunk_TA_paloalto/issues/45#issuecomment-486344671, or mute the thread https://github.com/notifications/unsubscribe-auth/AFTF4L7U5AOKS3C3V4Q6MZLPSCKOXANCNFSM4HIAYB2Q .

greggwoodcock avatar Apr 24 '19 18:04 greggwoodcock

I worked with my firewall admins on setting up config after_change_detail and before_change_detail. In our environment "CONFIG" is coming through find and sourcetype evaluates to "pan:config".

sample log Dec 10 18:14:01 1,2018/12/10 18:14:01,<SN>,CONFIG,0,0,2018/12/10 18:14:01,10.130.9.136,,edit,,Web,Succeeded, device-group post-rulebase security rules testing,49690,0x0,testing { } ,testing { target { devices { <targetSN{ } } } } , panorama ,0,0,0,0,,panorama

I believe we are on Pan OS 8.0.13

MonkeyKa avatar May 23 '19 16:05 MonkeyKa

What version and which config(s) exactly?

On Thu, May 23, 2019, 8:42 AM MonkeyKa [email protected] wrote:

I worked with my firewall admins on setting up config after_change_detail and before_change_detail. In our environment "CONFIG" is coming through find and sourcetype evaluates to "pan:config".

sample log Dec 10 18:14:01 1,2018/12/10 18:14:01,,CONFIG,0,0,2018/12/10 18:14:01,10.130.9.136,,edit,,Web,Succeeded, device-group post-rulebase security rules testing,49690,0x0,testing { } ,testing { target { devices { <targetSN{ } } } } , panorama ,0,0,0,0,,panorama

I believe we are on Pan OS 8.0.13

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/PaloAltoNetworks/Splunk_TA_paloalto/issues/45?email_source=notifications&email_token=AFTF4L2LIOHFLQE6WB7TAOTPW3CODA5CNFSM4HIAYB22YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODWCZV7I#issuecomment-495295229, or mute the thread https://github.com/notifications/unsubscribe-auth/AFTF4LZDIBD7MFEOG3AVQ4TPW3CODANCNFSM4HIAYB2Q .

greggwoodcock avatar May 23 '19 23:05 greggwoodcock

version of what? Splunk: 7.0.6 ES: 5.0.1 Pan OS 8.0.13

IIRC, the syslog config has been customized to specifically add $before-change-detail,$after-change-detail. Current custom syslog for config events: 1,$receive_time,$serial,$type,$subtype,0,$time_generated,$host,$vsys,$cmd,$admin,$client,$result,$path,$seqno,$actionflags,$before-change-detail,$after-change-detail,$device_name,$dg_hier_level_1,$dg_hier_level_2,$dg_hier_level_3,$dg_hier_level_4,$vsys_name,$device_name

note that some of my log record example above appears to have been altered. From the custom config, the $type field appears to map to "CONFIG" in the log record. Trying that again here Jun 7 13:19:40 PanoramaDNS 1,2019/06/07 13:19:40,PanoramaSN,CONFIG,0,0,2019/06/07 13:19:40,changeUserIP,,edit,changeUser,Web,Succeeded, config shared address-group addressGroupName,68333,0x0, addressGroupName_ForBeforeChange { static [ before_list ]; } ,addressGroupName_ForAfterChange { static [ after_list ]; } ,PanDevicename,0,0,0,0,,PanDeviceName

The first two fields (Jun 7 13:19:40 PanoramaDNS) are coming from Syslog, the rest related to the custom config

MonkeyKa avatar Jun 07 '19 14:06 MonkeyKa