splunk-connect-for-syslog icon indicating copy to clipboard operation
splunk-connect-for-syslog copied to clipboard

Published 20 hours ago verified publisher icon splunk

Some events from PaloAlto are sent to fallback

Open ivanfr90 opened this issue 5 months ago • 0 comments

Note: If your issue is not a bug or a feature request, please raise a support ticket through our support portal (Splunk.com > Support > Support Portal). This will help us resolve your issue more efficiently and provide you with better assistance. For more information on how to work with the Splunk Support, please refer to this guide.

Was the issue replicated by support? No

What is the sc4s version ? 3.36.0 - Last version

Which operating system (including its version) are you using for hosting SC4S? Unix

Which runtime (Docker, Podman, Docker Swarm, BYOE, MicroK8s) are you using for SC4S? Docker

Is there a pcap available? If so, would you prefer to attach it to this issue or send it to Splunk support? No

Is the issue related to the environment of the customer or Software related issue? No

Is it related to Data loss, please explain ? Protocol? Hardware specs? No

Last chance index/Fallback index? Events sometimes ends in fallback

Is the issue related to local customization? The only customization is the redirection to custom indexes.

Do we have all the default indexes created? We are using custom indexes.

Describe the bug We are indexing data from PaloAto. All types are indexing fine:

pan:config pan:globalprotect pan:hipmatch pan:system pan:threat pan:traffic pan:userid

but some events are sent to fallback, This events are only of type SYSTEM or GLOBALPROTECT, but we have also events of this types well classified.

This is an example of GLOBALPROTECT event sent to fallback:

PRI=14
MESSAGE=timestamp=2025/05/19 16:49:30, serial=016201487646, type=GLOBALPROTECT, subtype=0, time_generated=2025/05/19 16:49:30, vsys=vsys1, evt.name=GW-21-check, stage=host-info, auth_method=, tunnel_type=, usr.id=company\53432, srcregion=ES, machinename=host-001, public_ip=100.32.33.32, public_ipv6=0.0.0.0, private_ip=192.100.32.33, private_ipv6=0.0.0.0, hostid=45334323452452345, serialnumber=, client_ver=6.1.4, client_os=any, client_os_ver=, repeatcnt=1, reason=, error=, opaque="HIP report is not needed", status=success, location=COMPANY_HQ_ES, login_duration=0, connect_method=, error_code=0, portal=portal.company.com, seqno=7496031998222220982, actionflags=0x8000000000000000, selection_type=, response_time=, priority=, attempted_gateways=, gateway=, dg_hier_level_1=30, dg_hier_level_2=0, dg_hier_level_3=0, dg_hier_level_4=0, vsys_name=, device_name=FW-1, vsys_id=1

The particularity that we have detected is that the host from not categorized SYSTEM or GLOBALPROTECT events is "fw-1.company.com" whereas in the well categorized events host is "fw-1". We don't have specific filters.

We are receiving data in the default 514 port. No specific configs from vendor are implemented.

Any suggestion about this?

Thanks.

ivanfr90 avatar May 19 '25 15:05 ivanfr90