Splunk-Apps icon indicating copy to clipboard operation
Splunk-Apps copied to clipboard
verified publisher icon PaloAltoNetworks

Incorrect use of Network_Sessions CIM model

Open automine opened this issue 8 years ago • 2 comments

Per http://docs.splunk.com/Documentation/CIM/4.7.0/User/NetworkSessions the Network_Sessions DM is for DHCP and VPN traffic. The current version includes these eventtypes:

[pan_traffic_start]
search = sourcetype=pan_traffic OR sourcetype=pan:traffic AND log_subtype="start"
#tags = network session start
[pan_traffic_end]
search = sourcetype=pan_traffic OR sourcetype=pan:traffic AND log_subtype="end"

This tags ALL palo traffic as Network Sessions, which makes the data model run for a very long time.

automine avatar Mar 09 '17 21:03 automine

Thanks for the feedback, we'll check w/ Splunk on this make correction as necessary. Will report the results here.

btorresgil avatar Mar 10 '17 19:03 btorresgil

I worked around this by not logging start events as recommended by PaloAlto

MonkeyKa avatar Aug 20 '19 18:08 MonkeyKa