PA firewall logs ingested in Splunk Cloud without field extractions #325
Description
Describe the bug
PA firewall logs ingested in Splunk Cloud without field extractions.
Expected behavior
pan:firewall sourcetype should be transformed into pan:traffic, pan:threat, pan:system, pan:config with fields extracted
Current behavior
pan:firewall sourcetype is not being transformed and field extractions are not working in Splunk Cloud
Possible solution
If I send the logs from PA -> syslog server -> heavy forwarder -> Splunk Cloud then the logs get fields extracted.
But sending directly from PA -> syslog server -> Splunk Cloud does not work. Fields are not extracted.
Fix PA addon to transform logs when indexed in Splunk Cloud
Steps to reproduce
- Configure syslog server to receive logs from PA firewalls
- Install Palo Alto Networks Add-on & App in Splunk Cloud
- Configure log forwarding in PA firewall to send logs to syslog server
- Configure Splunk Universal Forwarder on the syslog server to send PA firewall logs to Splunk Cloud
Context
Would like to send the firewall logs directly to Splunk Cloud and remove the dependency on a heavy forwarder.
Your Environment
Splunk Cloud Version: 9.1.2308.203
Palo Alto Networks Add-on for Splunk: 8.1.1
syslog-ng: 4.6
PA firewall: 10.2.7-h3
Palo Alto - Syslog Server Profile
Transport: TCP
Port: 514
Format: BSD
Facility: LOG_USER
Custom Log Format: Default