Palo alto Mapping Problem
I am facing a problem in maping the Event from Palo alto to Arcsight .. I have used both Mapping shown in the discussion (https://protect724.arcsight.com/docs/DOC-1194) but nothing happned ..
all the vent parameters shown in one arcsight filed " Name " like the following ..
" 1,2011/03/28 15:39:30,0003C100979,SYSTEM,general,0,2011/03/28 15:39:30,,auth-fail,,0,0,general,informational,User 'cabps\sddddddddd' failed authentication. Reason: Invalid username/password "
I Did exactly what mentioned in the " External Release - ArcSight Flexconnector - Palo Alto Networks - Release notes.zip "
and i put the "pan.sdkrfilereader.properties " in the Syslog Connector /Current/User/Agent/Flexagent/Syslog directory ..
my syslog Connector Version is 188.8.131.5217.0
My PaloAlto OS Version is 3.1.4
Can you Please help me find the problem and solve it
Why do you bother creating a flexconnector for Palo Alto which is now supporting CEF format ?
Check the attached document on how to configure the Palo Alto with CEF format. Please note you can modify yourselves the way CEF format is used as there are some inconsistencies ( like the name being "TRAFFIC" for allowed and denied events ).
Let me know if it helps
I have upgrade my Palo Alto OS version to 4.0.1 , and i did exactly mentioned in the Palo Alto Networks CEF Configuration Guide v6.pdf , I copied the CEF for each type ( Threat , Traffic , system , Config ) , but it didn't work ,
before I did that , the events was all set in the name field , but now there is just "System auth success" as example in the name filed but all the fields are empty ..
the connector version is 184.108.40.20617.0
Please can you help me ..
Let's first look if the problem comes from the parsing or from the palo alto log export. Could you activate the "preserver raw events" field in your connector tab on ESM ? Then look in the raw event field to see if the event format looks correct ( CEF:0 .... ) . If not, the problem comes from the palo alto and I suggest you to delete the current log config and to restart from scratch according to the procedure described in the manual.