Some Palo Alto Logs not working #2083
Comments
|
It is enhancement request , for now enable sc4s fallback catch and write a parser to override the sourcetype. |
|
Can you please share the pcap file using support ticket , we will work on enhancing it, can be mentioned in the ticket this github issue. |
|
Working on this. Will post shortly. |
|
@rjha-splunk can you provide an email address for me to send the pcap file? My company doesn't allow posting company data publically. |
|
@rjha-splunk I am also trying to have our Splunk Support Engineer (Splunk employee) forward you the pcap file via email. I asked him to look up your email address. |
|
@rjha-splunk I verified with our Splunk Support Engineer (Splunk employee) that he sent you the pcap file you requested. Please post here if you need any other information. |
|
I confirm that we received and it is added to our sprint, i will post you by friday if i will have any questions. |
|
Hi Today i reviewed the pcap shared and it has only few messages and all are coming to splunk as panos:log , please add following entry as well in splunk_metadata.csv to redirect the traffic:
|
|
The logs with "DECRYPTION" in them are the logs we were trying to add. After I followed your suggestion and added pan_panos,index,pan_logs to splunk_metadata.csv, I am now seeing our "DECRYPTION" logs coming into the pan_logs index. |
|
@fpunzohig a filter fix for DECRYPTION will be added in #2322 . Before it's merged, feel free to test on ghcr.io/splunk/splunk-connect-for-syslog/container3:pr-2322 |
|
fix released in v.3.19.1 |
Hello,
We are successfully receiving some of our logs through SC4S but some logs are not showing up in Splunk. Currently, we are successfully receiving the following logs:
System -> pan:system
Configuration -> pan:config
HIP Match -> pan:hipmatch
Traffic -> pan:traffic
Threat -> pan:threat
We are currently sending the following logs but they are not being forwarded to Splunk:
URL - https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/monitoring/view-and-manage-logs/log-types-and-severity-levels/url-filtering-logs
WildFire - https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/monitoring/view-and-manage-logs/log-types-and-severity-levels/wildfire-submissions-logs
Authentication - https://docs.paloaltonetworks.com/cortex/cortex-data-lake/log-forwarding-schema-reference/network-logs/network-authentication-log#:~:text=Auth%20logs%20contain%20information%20about%20authentication%20events%20seen,associated%20firewalls%20are%20not%20configured%20with%20authentication%20policies.
User-ID - https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/monitoring/view-and-manage-logs/log-types-and-severity-levels/user-id-logs
Decryption - https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/decryption/troubleshoot-and-monitor-decryption/decryption-logs
env_file:
SC4S_DEST_SPLUNK_HEC_DEFAULT_URL=https://obfuscated:443
SC4S_DEST_SPLUNK_HEC_DEFAULT_TOKEN=obfuscated
#Uncomment the following line if using untrusted SSL certificates
#SC4S_DEST_SPLUNK_HEC_DEFAULT_TLS_VERIFY=no
splunk_metadata.csv:
pan_panos_config,index,pan_logs
pan_panos_correlation,index,pan_logs
pan_panos_globalprotect,index,pan_logs
pan_panos_hipmatch,index,pan_logs
pan_panos_log,index,pan_logs
pan_panos_system,index,pan_logs
pan_panos_threat,index,pan_logs
pan_panos_traffic,index,pan_logs
nix_syslog,index,aws_osnix
Can you please provide some suggestion for how we can get those logs ingested through SC4S into Splunk?
The text was updated successfully, but these errors were encountered: