Palo Alto Syslogs to Sentinel

%3CLINGO-SUB%20id%3D%22lingo-sub-2815658%22%20slang%3D%22en-US%22%3EPalo%20Alto%20Syslogs%20to%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2815658%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20are%20ingesting%20Palo%20Alto%20firewall%20logs%20into%20Sentinel%20that%20seems%20to%20be%20mostly%20working%2C%20however%20the%20fields%20are%20not%20populating%20correctly.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThere%20is%20an%20additional%20field%20called%20'AdditionalExtensions'%20that%20contains%20most%20of%20the%20pertinent%20information%20within%20the%20log%20in%20one%20big%20text%20string%2C%20such%20as%20destip%2C%20srcip%2C%20user%2C%20etc.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHas%20any%20one%20had%20this%20issue%20before%3F%20Would%20this%20issue%20be%20caused%20by%20configuration%20on%20the%20Firewall%20itself%2C%20the%20proxy%20forwarder%2C%20or%20is%20there%20something%20I%20can%20do%20within%20Sentinel%20itself%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMany%20thanks%20for%20any%20assistance%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Visitor

Hi,

 

We are ingesting Palo Alto firewall logs into Sentinel that seems to be mostly working, however the fields are not populating correctly.

 

There is an additional field called 'AdditionalExtensions' that contains most of the pertinent information within the log in one big text string, such as destip, srcip, user, etc.

 

Has any one had this issue before? Would this issue be caused by configuration on the Firewall itself, the proxy forwarder, or is there something I can do within Sentinel itself?

 

Many thanks for any assistance

1 Reply