Highlighted
Aqui Tamayo Valued Contributor.
Valued Contributor.
255 views

Palo Alto device address field missing

Hi,

I'm collecting logs on Palo Alto and it seems to be working properly until I notice that I seldom see Device Adress field on Traffic and Threat events. Most of the events have NULL deviceAdrress field.

Is this normal or it's a parsing issue? Anyone can suggest what to do with it?

Thanks and Regards,

Aqui

Labels (2)
5 Replies
Ajith K S Super Contributor.
Super Contributor.

Re: Palo Alto device address field missing

Hi @Aqui Tamayo 

Did you check if the device address is getting captured in raw logs for Traffic and Threat events?

 

Regards

Ajith K S

Aqui Tamayo Valued Contributor.
Valued Contributor.

Re: Palo Alto device address field missing

Hi Ajith,
I can't enable the raw logs because we're having a multitenant ESM and it will make the EPS go very high. Unfortunately, our client does not have a logger. Upon my investigation, the all PA devices were sending logs properly but some PA devices had a problem recently with regards to sending its deviceAddress/deviceHostname.

Is it possible the they upgraded the PA version and it resulted to issue with the parsing of CEF? I'm still trying to confirm the changes made on the PA side.

Thanks and Regards,
Aqui
0 Likes
evknott1 Super Contributor.
Super Contributor.

Re: Palo Alto device address field missing

We have seen this when the deviceHostName is not resolvable.  Check to ensure there is an entry in DNS.

 

We also use Remove Unresolvable Names/IPs From Cache value Yes (w/negative cache) when DNS does not provide resolution as it reduces loading.

 

Aqui Tamayo Valued Contributor.
Valued Contributor.

Re: Palo Alto device address field missing

Hi Evknott11,

May I ask how did you those steps? After doing it, did the PA devices started sending logs with deviceAddress/deviceHostname field?

Thanks and Regards,
Aqui
0 Likes
evknott1 Super Contributor.
Super Contributor.

Re: Palo Alto device address field missing

For determining in the deviceHostName is in DNS just do an "nslookup <deviceHostName>" where deviceHostName is copied directly from the event on the host witrh the Smart Connector.

 

The setting is within the SmartConnector Runtime Parameters.  The setting does help reduce queries to the DNS environment.

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.