Palo Alto Data Connector - "pattern not match"

Question

Hello, I was hoping someone can help me with what appears to be incorrect Regex syntax in a configuration file.

I'm trying to connect our Palo Alto logs to Sentinel and i've followed all of the instructions here:

https://docs.microsoft.com/en-us/azure/sentinel/connect-paloalto#step-2-forward-palo-alto-logs-to-the-syslog-agent

I am receiving syslogs thought rsyslog, the OMS Agent is also receiving logs, however the OMS agent log file shows this:

2019-10-24 15:55:45 -0700 [warn]: pattern not match: "Oct 24 15:55:45 1,2019/10/24 15:55:45,013201006249,TRAFFIC,start,2049,2019/10/24 15:55:45

From what I have determined the match problem stems from this file:

/etc/opt/microsoft/omsagent/<workspace ID>/conf/omsagent.d/security_events.conf

and specifically this line:

format /^(?<time>(?:\w+ +){2,3}(?:\d+:){2}\d+):? ?(?:(?<host>[^: ]+) ?:?)? (?<ident>[a-zA-Z0-9_%\/\.\-]*)(?:\[(?<pid>[0-9]+)\])?: *(?<message>.*)$/

The problem is, this .conf file containing this regex came from Microsoft as part of the Palo Alto data collector setup instructions so i'm not entirely sure where to begin formatting the regex to provide what Sentinel expects?

Any ideas?

Thanks in advance,

Jamie

nicholas dicola (security jedi) · Accepted Answer

Jamie_Seddon&nbsp;
did you complete all the steps here?&nbsp;https://docs.microsoft.com/en-us/azure/sentinel/connect-paloalto#step-2-forward-palo-alto-networks-logs-to-the-syslog-agent
&nbsp;
This
Oct&nbsp;24&nbsp;15:55:45&nbsp; 1,2019/10/24&nbsp;15:55:45,013201006249,TRAFFIC,start,2049,2019/10/24&nbsp;15:55:45&nbsp;
does not look like CEF format.&nbsp; in the PAN guides, it shows you to add CEF....blah in the formatting

Forum Discussion

Palo Alto Data Connector - "pattern not match"

2 Replies

Resources