SOLVED
Home

Palo Alto Data Connector - "pattern not match"

%3CLINGO-SUB%20id%3D%22lingo-sub-948087%22%20slang%3D%22en-US%22%3EPalo%20Alto%20Data%20Connector%20-%20%22pattern%20not%20match%22%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-948087%22%20slang%3D%22en-US%22%3E%3CP%3EHello%2C%20I%20was%20hoping%20someone%20can%20help%20me%20with%20what%20appears%20to%20be%20incorrect%20Regex%20syntax%20in%20a%20configuration%20file.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI'm%20trying%20to%20connect%20our%20Palo%20Alto%20logs%20to%20Sentinel%20and%20i've%20followed%20all%20of%20the%20instructions%20here%3A%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsentinel%2Fconnect-paloalto%23step-2-forward-palo-alto-logs-to-the-syslog-agent%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsentinel%2Fconnect-paloalto%23step-2-forward-palo-alto-logs-to-the-syslog-agent%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20am%20receiving%20syslogs%20thought%20rsyslog%2C%20the%20OMS%20Agent%20is%20also%20receiving%20logs%2C%20however%20the%20OMS%20agent%20log%20file%20shows%20this%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CDIV%3E2019-10-24%26nbsp%3B15%3A55%3A45%26nbsp%3B-0700%26nbsp%3B%3CSTRONG%3E%5Bwarn%5D%3A%26nbsp%3Bpattern%26nbsp%3Bnot%26nbsp%3Bmatch%3A%3C%2FSTRONG%3E%26nbsp%3B%22Oct%26nbsp%3B24%26nbsp%3B15%3A55%3A45%26nbsp%3B%201%2C2019%2F10%2F24%26nbsp%3B15%3A55%3A45%2C013201006249%2CTRAFFIC%2Cstart%2C2049%2C2019%2F10%2F24%26nbsp%3B15%3A55%3A45%3C%2FDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%3EFrom%20what%20I%20have%20determined%20the%20match%20problem%20stems%20from%20this%20file%3A%3C%2FDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%3E%3CSTRONG%3E%2Fetc%2Fopt%2Fmicrosoft%2Fomsagent%2F%3CWORKSPACE%20id%3D%22%22%3E%2Fconf%2Fomsagent.d%2Fsecurity_events.conf%3C%2FWORKSPACE%3E%3C%2FSTRONG%3E%3C%2FDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3Eand%20specifically%20this%20line%3A%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%3E%3CSTRONG%3Eformat%26nbsp%3B%2F%5E(%3F%3CTIME%3E(%3F%3A%5Cw%2B%26nbsp%3B%2B)%7B2%2C3%7D(%3F%3A%5Cd%2B%3A)%7B2%7D%5Cd%2B)%3A%3F%26nbsp%3B%3F(%3F%3A(%3F%3CHOST%3E%5B%5E%3A%26nbsp%3B%5D%2B)%26nbsp%3B%3F%3A%3F)%3F%26nbsp%3B(%3F%3CIDENT%3E%5Ba-zA-Z0-9_%25%5C%2F%5C.%5C-%5D*)(%3F%3A%5C%5B(%3F%3CPID%3E%5B0-9%5D%2B)%5C%5D)%3F%3A%26nbsp%3B*(%3F%3CMESSAGE%3E.*)%24%2F%26nbsp%3B%3C%2FMESSAGE%3E%3C%2FPID%3E%3C%2FIDENT%3E%3C%2FHOST%3E%3C%2FTIME%3E%3C%2FSTRONG%3E%3C%2FDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%3EThe%20problem%20is%2C%20this%20.conf%20file%20containing%20this%20regex%20came%20from%20Microsoft%20as%20part%20of%20the%20Palo%20Alto%20data%20collector%20setup%20instructions%20so%20i'm%20not%20entirely%20sure%20where%20to%20begin%20formatting%20the%20regex%20to%20provide%20what%20Sentinel%20expects%3F%3C%2FDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%3EAny%20ideas%3F%3C%2FDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%3EThanks%20in%20advance%2C%3C%2FDIV%3E%3CDIV%3EJamie%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-948861%22%20slang%3D%22en-US%22%3ERe%3A%20Palo%20Alto%20Data%20Connector%20-%20%22pattern%20not%20match%22%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-948861%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F433080%22%20target%3D%22_blank%22%3E%40Jamie_Seddon%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3Edid%20you%20complete%20all%20the%20steps%20here%3F%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsentinel%2Fconnect-paloalto%23step-2-forward-palo-alto-networks-logs-to-the-syslog-agent%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsentinel%2Fconnect-paloalto%23step-2-forward-palo-alto-networks-logs-to-the-syslog-agent%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThis%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EOct%26nbsp%3B24%26nbsp%3B15%3A55%3A45%26nbsp%3B%201%2C2019%2F10%2F24%26nbsp%3B15%3A55%3A45%2C013201006249%2CTRAFFIC%2Cstart%2C2049%2C2019%2F10%2F24%26nbsp%3B15%3A55%3A45%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3Edoes%20not%20look%20like%20CEF%20format.%26nbsp%3B%20in%20the%20PAN%20guides%2C%20it%20shows%20you%20to%20add%20CEF....blah%20in%20the%20formatting%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-952639%22%20slang%3D%22en-US%22%3ERe%3A%20Palo%20Alto%20Data%20Connector%20-%20%22pattern%20not%20match%22%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-952639%22%20slang%3D%22en-US%22%3EThank%20you!%20That%20was%20an%20oversight%20on%20my%20part%20-%20got%20it%20working.%3CBR%20%2F%3ECheers!%3C%2FLINGO-BODY%3E
Jamie_Seddon
New Contributor

Hello, I was hoping someone can help me with what appears to be incorrect Regex syntax in a configuration file.

 

I'm trying to connect our Palo Alto logs to Sentinel and i've followed all of the instructions here:

https://docs.microsoft.com/en-us/azure/sentinel/connect-paloalto#step-2-forward-palo-alto-logs-to-th...

 

I am receiving syslogs thought rsyslog, the OMS Agent is also receiving logs, however the OMS agent log file shows this:

 

2019-10-24 15:55:45 -0700 [warn]: pattern not match: "Oct 24 15:55:45  1,2019/10/24 15:55:45,013201006249,TRAFFIC,start,2049,2019/10/24 15:55:45
 
From what I have determined the match problem stems from this file:
 
/etc/opt/microsoft/omsagent/<workspace ID>/conf/omsagent.d/security_events.conf
 
and specifically this line:
 
format /^(?<time>(?:\w+ +){2,3}(?:\d+:){2}\d+):? ?(?:(?<host>[^: ]+) ?:?)? (?<ident>[a-zA-Z0-9_%\/\.\-]*)(?:\[(?<pid>[0-9]+)\])?: *(?<message>.*)$/ 
 
The problem is, this .conf file containing this regex came from Microsoft as part of the Palo Alto data collector setup instructions so i'm not entirely sure where to begin formatting the regex to provide what Sentinel expects?
 
Any ideas?
 
Thanks in advance,
Jamie
2 Replies
Solution

@Jamie_Seddon 

did you complete all the steps here? https://docs.microsoft.com/en-us/azure/sentinel/connect-paloalto#step-2-forward-palo-alto-networks-l...

 

This

Oct 24 15:55:45  1,2019/10/24 15:55:45,013201006249,TRAFFIC,start,2049,2019/10/24 15:55:45 

does not look like CEF format.  in the PAN guides, it shows you to add CEF....blah in the formatting

Thank you! That was an oversight on my part - got it working.
Cheers!
Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
46 Replies
Extentions Synchronization
Deleted in Discussions on
3 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
How to Prevent Teams from Auto-Launch
chenrylee in Microsoft Teams on
29 Replies
Security Community Webinars
Valon_Kolica in Security, Privacy & Compliance on
13 Replies