PaloAltoNetworks/Splunk-Apps

bytes_in and bytes_out for traffic extraction flipped

airlinedev opened this issue · 2 comments

airlinedev commented

Describe the bug

The transform extract_traffic assigns the incorrect values to bytes_in and bytes_out.

Expected behavior

"future_use1","receive_time","serial_number","type","log_subtype","version","generated_time","src_ip","dest_ip","src_translated_ip","dest_translated_ip","rule","src_user","dest_user","app","vsys","src_zone","dest_zone","src_interface","dest_interface","log_forwarding_profile","future_use3","session_id","repeat_count","src_port","dest_port","src_translated_port","dest_translated_port","session_flags","transport","action","bytes","bytes_in","bytes_out","packets","start_time","duration","http_category","future_use4","sequence_number","action_flags","src_location","dest_location","future_use5","packets_out","packets_in","session_end_reason","devicegroup_level1","devicegroup_level2","devicegroup_level3","devicegroup_level4","vsys_name","dvc_name","action_source","src_vm","dest_vm","tunnel_id","tunnel_monitor_tag","tunnel_session_id","tunnel_start_time","tunnel_type"

Current behavior

"future_use1","receive_time","serial_number","type","log_subtype","version","generated_time","src_ip","dest_ip","src_translated_ip","dest_translated_ip","rule","src_user","dest_user","app","vsys","src_zone","dest_zone","src_interface","dest_interface","log_forwarding_profile","future_use3","session_id","repeat_count","src_port","dest_port","src_translated_port","dest_translated_port","session_flags","transport","action","bytes","bytes_out","bytes_in","packets","start_time","duration","http_category","future_use4","sequence_number","action_flags","src_location","dest_location","future_use5","packets_out","packets_in","session_end_reason","devicegroup_level1","devicegroup_level2","devicegroup_level3","devicegroup_level4","vsys_name","dvc_name","action_source","src_vm","dest_vm","tunnel_id","tunnel_monitor_tag","tunnel_session_id","tunnel_start_time","tunnel_type"

Possible solution

Flip the order of the bytes_in and bytes_out extraction order in the above transform

welcome-to-palo-alto-networks commented

🎉 Thanks for opening your first issue here! Welcome to the community!

btorresgil commented

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/traffic-log-fields

The syslog field reference shows this order:

Bytes, Bytes Sent, Bytes Received

Bytes Sent translates to bytes_out
Bytes Received translates to bytes_in

This is the intended behavior.