PAN-OS Authentication Log Field Extractions
Opened this issue · 0 comments
makal27 commented
Describe the bug
Missing Search-time extractions for PANOS Authentication logs
Expected behavior
Splunk searches on PANOS Authentication logs provide meaningful field extractions
Current behavior
No Search-time parsing Splunk knowledge objects available
Possible solution
Props.conf
[pan:auth]
REPORT-search = extract_authentication
FIELDALIAS-type = log_type as type
Transforms.conf
[pan_auth]
DEST_KEY = MetaData:Sourcetype
REGEX = ^[^,]+,[^,]+,[^,]+,AUTH,
FORMAT = sourcetype::pan:auth
[extract_authentication]
DELIMS = ","
FIELDS = "future_use1","receive_time","serial_number","log_type","log_subtype","version","generated_time","vsys","src_ip","user","user_normalized","object","authentication_policy","repeast_count","authentication_id","pan_vendor","log_action","server_profile","description","client_type","event_type","factor_number","sequence_number","action_flags","device_group_hierarchy_1","device_group_hierarchy_2","device_group_hierarchy_3","device_group_hierarchy_4","vsys","dvc_name","vsys_id","authentication_protocol","rule","timestamp","src_host_category","src_host_profile","src_host_model","src_host_vendor","src_host_os_name","src_host_os_version","src_host","src_mac","region","future_use2","user_agent","session_id","cluster_name"
splunk/splunk-connect-for-syslog#2304 Submitted for Splunk Connect for Syslog (SC4S) users for proper index-time parsing / sourcetype identification.
Steps to reproduce
Ingest AUTH events to Splunk and run searches on the data. When the Splunk PANOS TA is installed, no search-time extractions exist for this log subtype
Screenshots
N/A
Context
Lack of PANOS authentication log field extraction causes lack of visibility.
Your Environment
Splunk distributed environment
- Version used: Splunk Add-on for Palo Alto Networks 8.1.1
- Environment name and version: Splunk 9.1.2
- Operating System and version (desktop or mobile): Desktop Amazon Linux 2