Forum Discussion
Solved
Palo Alto Data Connector - "pattern not match"
Hello, I was hoping someone can help me with what appears to be incorrect Regex syntax in a configuration file.
I'm trying to connect our Palo Alto logs to Sentinel and i've followed all of the instructions here:
I am receiving syslogs thought rsyslog, the OMS Agent is also receiving logs, however the OMS agent log file shows this:
2019-10-24 15:55:45 -0700 [warn]: pattern not match: "Oct 24 15:55:45 1,2019/10/24 15:55:45,013201006249,TRAFFIC,start,2049,2019/10/24 15:55:45
From what I have determined the match problem stems from this file:
/etc/opt/microsoft/omsagent/<workspace ID>/conf/omsagent.d/security_events.conf
and specifically this line:
format /^(?<time>(?:\w+ +){2,3}(?:\d+:){2}\d+):? ?(?:(?<host>[^: ]+) ?:?)? (?<ident>[a-zA-Z0-9_%\/\.\-]*)(?:\[(?<pid>[0-9]+)\])?: *(?<message>.*)$/
The problem is, this .conf file containing this regex came from Microsoft as part of the Palo Alto data collector setup instructions so i'm not entirely sure where to begin formatting the regex to provide what Sentinel expects?
Any ideas?
Thanks in advance,
Jamie
did you complete all the steps here? https://docs.microsoft.com/en-us/azure/sentinel/connect-paloalto#step-2-forward-palo-alto-networks-logs-to-the-syslog-agent
This
Oct 24 15:55:45 1,2019/10/24 15:55:45,013201006249,TRAFFIC,start,2049,2019/10/24 15:55:45
does not look like CEF format. in the PAN guides, it shows you to add CEF....blah in the formatting
- Nicholas DiCola (SECURITY JEDI)
Microsoft
did you complete all the steps here? https://docs.microsoft.com/en-us/azure/sentinel/connect-paloalto#step-2-forward-palo-alto-networks-logs-to-the-syslog-agent
This
Oct 24 15:55:45 1,2019/10/24 15:55:45,013201006249,TRAFFIC,start,2049,2019/10/24 15:55:45
does not look like CEF format. in the PAN guides, it shows you to add CEF....blah in the formatting
- Thank you! That was an oversight on my part - got it working.
Cheers!
