diff --git a/package/etc/conf.d/filters/paloalto/panos.conf b/package/etc/conf.d/filters/paloalto/panos.conf index dedddf3..9c5109b 100644 --- a/package/etc/conf.d/filters/paloalto/panos.conf +++ b/package/etc/conf.d/filters/paloalto/panos.conf @@ -5,5 +5,5 @@ filter f_is_palalto_format{ }; filter f_paloalto_panos { - message(',\d+,(THREAT|TRAFFIC|SYSTEM|CONFIG|HIPWATCH|CORRELATION|USERID),'); + message(',[0-9A-F]+,(THREAT|TRAFFIC|SYSTEM|CONFIG|HIPWATCH|CORRELATION|USERID),'); }; \ No newline at end of file diff --git a/package/etc/conf.d/log_paths/lp-paloalto_panos.conf.tmpl b/package/etc/conf.d/log_paths/lp-paloalto_panos.conf.tmpl index 2f9cd3d..27c6c3a 100644 --- a/package/etc/conf.d/log_paths/lp-paloalto_panos.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-paloalto_panos.conf.tmpl @@ -56,25 +56,25 @@ log { #set the source type based on program field and lookup index from the splunk_context csv - if (message(',\d+,THREAT')) { + if (message(',[0-9A-F]+,THREAT')) { rewrite { r_set_splunk_dest_default(sourcetype("pan:threat"), index("netproxy"))}; parser {p_add_context_splunk(key("pan_threat")); }; - } elif (message(',\d+,TRAFFIC')) { + } elif (message(',[0-9A-F]+,TRAFFIC')) { rewrite { r_set_splunk_dest_default(sourcetype("pan:traffic"), index("netfw"))}; parser {p_add_context_splunk(key("pan_traffic")); }; - } elif (message(',\d+,SYSTEM')) { + } elif (message(',[0-9A-F]+,SYSTEM')) { rewrite { r_set_splunk_dest_default(sourcetype("pan:system"), index("netops"))}; parser {p_add_context_splunk(key("pan_system")); }; - } elif (message(',\d+,CONFIG')) { + } elif (message(',[0-9A-F]+,CONFIG')) { rewrite { r_set_splunk_dest_default(sourcetype("pan:config"), index("netops"))}; parser {p_add_context_splunk(key("pan_config")); }; - } elif (message(',\d+,HIPWATCH')) { + } elif (message(',[0-9A-F]+,HIPWATCH')) { rewrite { r_set_splunk_dest_default(sourcetype("pan:hipwatch"), index("main"))}; parser {p_add_context_splunk(key("pan_hipwatch")); }; - } elif (message(',\d+,CORRELATION')) { + } elif (message(',[0-9A-F]+,CORRELATION')) { rewrite { r_set_splunk_dest_default(sourcetype("pan:correlation"), index("main"))}; parser {p_add_context_splunk(key("pan_correlation")); }; - } elif (message(',\d+,USERID')) { + } elif (message(',[0-9A-F]+,USERID')) { rewrite { r_set_splunk_dest_default(sourcetype("pan:userid"), index("netauth"))}; parser {p_add_context_splunk(key("pan_userid")); }; } else { diff --git a/tests/test_palo_alto.py b/tests/test_palo_alto.py index de6b31a..b24e4ef 100644 --- a/tests/test_palo_alto.py +++ b/tests/test_palo_alto.py @@ -18,7 +18,7 @@ def test_palo_alto_traffic(record_property, setup_wordlist, setup_splunk, setup_ host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist)) mt = env.from_string( - "{{ mark }} {% now 'local', '%b %d %H:%M:%S' %} {{ host }} 1,{% now 'local', '%Y/%m/%d %H:%M:%S' %},007200001056,TRAFFIC,end,1,{% now 'local', '%Y/%m/%d %H:%M:%S' %},192.168.41.30,192.168.41.255,10.193.16.193,192.168.41.255,allow-all,,,netbios-ns,vsys1,Trust,Untrust,ethernet1/1,ethernet1/2,To-Panorama,2014/01/28 01:28:34,8720,1,137,137,11637,137,0x400000,udp,allow,276,276,0,3,2014/01/28 01:28:02,2,any,0,2076326,0x0,192.168.0.0-192.168.255.255,192.168.0.0-192.168.255.255,0,3,0\n") + "{{ mark }} {% now 'local', '%b %d %H:%M:%S' %} {{ host }} 1,{% now 'local', '%Y/%m/%d %H:%M:%S' %},007200C01056,TRAFFIC,end,1,{% now 'local', '%Y/%m/%d %H:%M:%S' %},192.168.41.30,192.168.41.255,10.193.16.193,192.168.41.255,allow-all,,,netbios-ns,vsys1,Trust,Untrust,ethernet1/1,ethernet1/2,To-Panorama,2014/01/28 01:28:34,8720,1,137,137,11637,137,0x400000,udp,allow,276,276,0,3,2014/01/28 01:28:02,2,any,0,2076326,0x0,192.168.0.0-192.168.255.255,192.168.0.0-192.168.255.255,0,3,0\n") message = mt.render(mark="<111>", host=host) sendsingle(message, setup_sc4s[0], setup_sc4s[1][514])