Splunk-Apps icon indicating copy to clipboard operation
Splunk-Apps copied to clipboard
verified publisher icon PaloAltoNetworks

Splunk_TA_paloalto not parsing logs

Open jbnsbstn opened this issue 5 years ago • 1 comments

Is your feature request related to a problem?

I have Installed the add-on in HF but the logs are not parsing.

I can see the sourcetypes are getting segregated: pan:traffic, pan:system, pan:threat, But the logs are showing as raw logs not getting parsed for fields like src_ip, dst_ip etc.

sample logs looks like :

<14>Feb 17 14:19:33 xx.xx.xx.xx 1,2020/02/17 14:19:33,016401000908,TRAFFIC,end,2304,2020/02/17 14:19:33,35.xx.xx.xx.xx,xx.xx.xx.xx0.0.0.0,0.0.0.0,INET-GUEST-ACCESS,,,non-syn-tcp,vsys1,INTERNET,INTERNET,ae2,ae2,LOG_FWD_PROF_1,2020/02/17 14:19:33,727602,1,443,24892,0,0,0xc,tcp,allow,66,66,0,1,2020/02/17 14:18:01,0,any,0,20697326448,0x0,,0,1,0,aged-out,0,0,0,0,,FWRY94-WIFI-F1-02,from-policy,,,0,,0,,N/A,0,0,0,0,50f6973a-da2e-435d-8ba9-40c9ee826cd7,0--

jbnsbstn avatar Feb 16 '20 08:02 jbnsbstn

Your using the ietf format which the HF doesn't support you need to use BSD or switch to using Splunk Connect for Syslog which does support IETF

ryanfaircloth avatar Feb 05 '21 18:02 ryanfaircloth