PA firewall logs ingested in Splunk Cloud without field extractions #325

dchen-ae · 2024-03-21T16:06:38Z

Describe the bug

PA firewall logs ingested in Splunk Cloud without field extractions.

Expected behavior

pan:firewall sourcetype should be transformed into pan:traffic, pan:threat, pan:system, pan:config with fields extracted

Current behavior

pan:firewall sourcetype is not being transformed and field extractions are not working in Splunk Cloud

Possible solution

If I send the logs from PA -> syslog server -> heavy forwarder -> Splunk Cloud then the logs get fields extracted.
But sending directly from PA -> syslog server -> Splunk Cloud does not work. Fields are not extracted.

Fix PA addon to transform logs when indexed in Splunk Cloud

Steps to reproduce

Configure syslog server to receive logs from PA firewalls
Install Palo Alto Networks Add-on & App in Splunk Cloud
Configure log forwarding in PA firewall to send logs to syslog server
Configure Splunk Universal Forwarder on the syslog server to send PA firewall logs to Splunk Cloud

Context

Would like to send the firewall logs directly to Splunk Cloud and remove the dependency on a heavy forwarder.

Your Environment

Splunk Cloud Version: 9.1.2308.203
Palo Alto Networks Add-on for Splunk: 8.1.1
syslog-ng: 4.6
PA firewall: 10.2.7-h3

Palo Alto - Syslog Server Profile
Transport: TCP
Port: 514
Format: BSD
Facility: LOG_USER
Custom Log Format: Default

arcsector · 2024-05-01T22:24:01Z

What does your data look like?

dchen-ae · 2024-05-03T13:24:46Z

Using UF from syslog server to Splunk Cloud. Sample log <14>Mar 19 16:53:03 PA-FW01 1,2024/03/19 16:53:03,123456789012,TRAFFIC,end,2562,2024/03/19 16:53:03,10.0.0.10,170.85.69.65,111.11.111.1,170.85.69.65,Internal-Out-App,,,zscaler-internet-access,vsys1,inside,outside,ae4,ae3,default,2024/03/19 16:53:03,2310425,1,57279,443,18228,443,0x44001c,tcp,allow,1044,562,482,9,2024/03/19 16:52:45,0,Category_Wildcard,,7332235240441019959,0x8000000000000000,10.0.0.0-10.255.255.255,United States,,5,4,tcp-fin,0,0,0,0,Internet-VSYS,INAP-PAFW01,from-policy,,,0,,0,,N/A,0,0,0,0,f221d4f3-299c-45ec-bfa8-87f40604b502,0,0,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,2024-03-19T16:53:03.857+00:00,,,proxy,networking,browser-based,1,has-known-vulnerability,,zscaler-internet-access,no,no,0

dchen-ae added the bug label Mar 21, 2024

0xC0FFEEEE mentioned this issue May 3, 2024

[Bug] Cortex Data > Splunk HEC event line breaks missing #324

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

PA firewall logs ingested in Splunk Cloud without field extractions #325

PA firewall logs ingested in Splunk Cloud without field extractions #325

dchen-ae commented Mar 21, 2024

arcsector commented May 1, 2024 •

edited

Loading

dchen-ae commented May 3, 2024 via email •

edited

Loading

PA firewall logs ingested in Splunk Cloud without field extractions #325

PA firewall logs ingested in Splunk Cloud without field extractions #325

Comments

dchen-ae commented Mar 21, 2024

Describe the bug

Expected behavior

Current behavior

Possible solution

Steps to reproduce

Context

Your Environment

arcsector commented May 1, 2024 • edited Loading

dchen-ae commented May 3, 2024 via email • edited Loading

arcsector commented May 1, 2024 •

edited

Loading

dchen-ae commented May 3, 2024 via email •

edited

Loading