Palo Alto Data Connector - "pattern not match"

Copper Contributor

Hello, I was hoping someone can help me with what appears to be incorrect Regex syntax in a configuration file.


I'm trying to connect our Palo Alto logs to Sentinel and i've followed all of the instructions here:


I am receiving syslogs thought rsyslog, the OMS Agent is also receiving logs, however the OMS agent log file shows this:


2019-10-24 15:55:45 -0700 [warn]: pattern not match: "Oct 24 15:55:45  1,2019/10/24 15:55:45,013201006249,TRAFFIC,start,2049,2019/10/24 15:55:45
From what I have determined the match problem stems from this file:
/etc/opt/microsoft/omsagent/<workspace ID>/conf/omsagent.d/security_events.conf
and specifically this line:
format /^(?<time>(?:\w+ +){2,3}(?:\d+:){2}\d+):? ?(?:(?<host>[^: ]+) ?:?)? (?<ident>[a-zA-Z0-9_%\/\.\-]*)(?:\[(?<pid>[0-9]+)\])?: *(?<message>.*)$/ 
The problem is, this .conf file containing this regex came from Microsoft as part of the Palo Alto data collector setup instructions so i'm not entirely sure where to begin formatting the regex to provide what Sentinel expects?
Any ideas?
Thanks in advance,
2 Replies
best response confirmed by Jamie_Seddon (Copper Contributor)


did you complete all the steps here?



Oct 24 15:55:45  1,2019/10/24 15:55:45,013201006249,TRAFFIC,start,2049,2019/10/24 15:55:45 

does not look like CEF format.  in the PAN guides, it shows you to add CEF....blah in the formatting

Thank you! That was an oversight on my part - got it working.