Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Palo Alto (formally CloudGenix) Prisma SD-WAN support #2179

Closed
aws-zen opened this issue Sep 23, 2023 · 4 comments
Closed

Palo Alto (formally CloudGenix) Prisma SD-WAN support #2179

aws-zen opened this issue Sep 23, 2023 · 4 comments
Assignees
@mstopa-splunk

Comments

@aws-zen
Copy link

aws-zen commented Sep 23, 2023

Please include support for the Palo Alto Prisma SD-WAN ION appliances (formally CloudGenix ION). To avoid confusion and possible disambiguation in the future, be aware there are other services in the Prisma line.

System events are in the following format:
https://docs.paloaltonetworks.com/prisma/prisma-sd-wan/prisma-sd-wan-admin/prisma-sd-wan-sites-and-devices/use-external-services-for-monitoring/syslog-server-support-in-prisma-sd-wan

Flow information is in the following format
https://docs.paloaltonetworks.com/prisma/prisma-sd-wan/prisma-sd-wan-admin/prisma-sd-wan-sites-and-devices/use-external-services-for-monitoring/syslog-server-support-in-prisma-sd-wan/syslog-flow-export
@rjha-splunk
Copy link
Collaborator

Can you please share anonymized sample of the event as well after capturing pcap ( statistics > conversations > udp/tcp -> follow stream in wireshark).

@aws-zen
Copy link
Author

aws-zen commented Sep 26, 2023

Here are examples of two of the three event types (I will likely not have an alert for a few more days)

<13>1 2023-09-26T23:28:26.000035+00:00 MYDEVICENAME cgxFlowLogV1 20681 - - 2023-09-26T23:28:26,10.10.10.64,52172,208.67.222.222,443,udp,,,1,1,224,490,,ISP1,,,Delete flow (udp flow timeout),
<13>1 2023-09-26T23:28:26.000035+00:00 MYDEVICENAME cgxFlowLogV1 20681 - - 2023-09-26T23:28:26,10.10.10.52,62353,10.10.12.55,135,tcp,,,8,6,672,896,,ISP1,,msrpc-base,Delete flow (tcp closed by FIN or RST),

<11>1 2023-09-26T23:36:36.882Z 10.10.10.51 log - - -  ION_HOST="MYDEVICENAME" DEVICE_TIME="2023-09-26T23:36:36.882Z" MSG="sshd-all:error: Received disconnect from 10.10.200.95 port 51711:14: Unable to authenticate using any of the configured authentication methods.  [preauth]" SEVERITY="major" PROCESS_NAME="sshd" FACILITY="auth" ELEMENT_ID="1689170211556024796"

A couple of notes:

  1. The documentation is missing src port after src address in the first table (but is included in their example and the actual output)
  1. The two flow entries in my example end with a comma and lack the zbfw field. This is due to the feature not being enabled in this configuration.

Thank you for your help.

@aws-zen
Copy link
Author

aws-zen commented Oct 4, 2023

Here are some alarm events:

<10>1 2023-10-04T16:20:15.687Z 10.10.10.51 alarm - - - ION_HOST="MyDevice1" DEVICE_TIME="2023-10-04T16:20:15.687Z" STATUS="cleared" CODE="DEVICESW_CONCURRENT_FLOWLIMIT_EXCEEDED" Severity="critical" CONCURRENT_LIMIT="100000" IDENTIFIER="1689170154632020296" ELEMENT_ID="1689170211556024796"

<11>1 2023-10-04T16:45:15.608Z 10.10.10.203 alarm - - - ION_HOST="MyDevice22" DEVICE_TIME="2023-10-04T16:45:15.608Z" STATUS="Not clear" CODE="NETWORK_VPNLINK_DOWN" Severity="major" AL_ID="1692211457478015096" VPN_LINK_ID="1693496601376017896" IDENTIFIER="1693496601376017596" ELEMENT_ID="1690471915306003396"

@mstopa-splunk mstopa-splunk self-assigned this Nov 23, 2023
@mstopa-splunk mstopa-splunk mentioned this issue Dec 28, 2023
Merged
@mstopa-splunk
Copy link
Contributor

New parsers added in #2298

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mstopa-splunk mstopa-splunk

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@aws-zen @rjha-splunk @mstopa-splunk