Traffic and Threat Log doens't correctly translate the Source IP / X-Forwarded-For Value

Question

Traffic and Threat Log doens't correctly translate the Source IP / X-Forwarded-For Value

paulkilla opened this issue 2 years ago · 3 comments

Describe the bug

When sending Traffic and Threat Logs (potentially others) with the X-Forwarded-For Header set in the log traffic the Palo Splunk Add-On isn't pulling out that data into client_ip or a new value?

We can see the XFF header value in the _raw log format, so the data is there and we can do our own transforming to pull it out if required, but a set solution as part of the Add-On would be beneficial.

Expected behavior

The XFF header is pulled out as a new value, e.g. xff_ip?

Current behavior

The XFF header isn't pulled out of the _raw log entry, so is not easily searchable or reportable.

Steps to reproduce

Setup a proxy/load balancer and set the XFF header.
Can see XFF header in Monitor Tab on firewalls logs
Can see XFF header value in _raw log entry
XFF value not pulled out as a specified field.

Thanks

Answer 1 · 2022-04-19T01:32:29.000Z

🎉 Thanks for opening your first issue here! Welcome to the community!

Answer 2 · 2022-04-19T01:47:24.000Z

As a note, looking at my _raw log and the transforms extract fields my raw logs have an additional 54 fields that aren't mapped in the transforms.conf (Traffic log sourcetype)

Answer 3 · 2022-04-19T02:41:46.000Z

Also looks like extra fields where added in recent versions.

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/traffic-log-fields