Forum Discussion
Palo Alto Data Connector - pattern not match
Roger_Fleming I'm using the CEF format from the PDF, and I've fixed the issues with copying and pasting into a text editor, but I'm only getting maybe 10% of the log into Sentinel, almost none of the pertinent key value pairs make it. Looking at the rsyslog server, they are hitting that box with maybe one line and almost nothing else. Can't figure out what step might have been missed but it seemed all pretty straight forward in the documentation.
Make sure you ae using the correct version of the product. If you could run the following command it will provide the data being received by the syslog and the omsagent
tcpdump -A -ni any port 514 -vvv -s 0
should look like this in return
TCEF:0|Check Point|VPN-1 & FireWall-1|Check Point|Log|tcp-high-ports|Unknown|act=Drop deviceDirection=0 rt=1573748935000 spt=46783 dpt=42627 cs2Label=Rule Name layer_name=Network layer_uuid=edf46e83-f10b-4fbc-93e9-fab40887b8d1 match_id=3 parent_rule=0 rule_action=Drop rule_uid=3f994325-9c52-4b18-ba44-307ad4929fb2 ifname=eth0 logid=0 loguid={0x5dcd80c9,0x1,0x501a8c0,0x1737aca9} origin=192.168.1.5 originsicname=cn\=cp_mgmt,o\=FlemingGW..y76ath sequencenum=2 version=5 dst=192.168.1.5 inzone=External outzone=Local product=VPN-1 & FireWall-1 proto=6 service_id=tcp-high-ports src=89.248.168.222
Then run
tcpdump -A -ni any port 25226 -vvv -s 0
should look the same