Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

pan:config in default is broken #302

Open
lumpymilk opened this issue Jul 18, 2023 · 0 comments
Open

pan:config in default is broken #302

lumpymilk opened this issue Jul 18, 2023 · 0 comments
Assignees
@paulmnguyen
Labels
bug

Comments

@lumpymilk
Copy link

Describe the bug

transforms.conf for extract_config is wrong for the default format. There was a misinterpretation on the format where two fields are not typically part of the event. Before Change Detail fields are ONLY in CUSTOM logs.

The format for pan:config syslog specifically says the Change Detail fields will only appear in custom logs:
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/config-log-fields

Before Change Detail (before-change-detail) This field is in custom logs only; it is not in the default format.It contains the full xpath before the configuration change.
After Change Detail (after-change-detail) This field is in custom logs only; it is not in the default format.It contains the full xpath after the configuration change.

The fields do not normally appear. This throws off the whole DELIMS process.
The documentation says:
Format: FUTURE_USE, Receive Time, Serial Number, Type, Subtype, FUTURE_USE, Generated Time, Host, Virtual System, Command, Admin, Client, Result, Configuration Path, Before Change Detail, After Change Detail, Sequence Number, Action Flags, Device Group Hierarchy Level 1, Device Group Hierarchy Level 2, Device Group Hierarchy Level 3, Device Group Hierarchy Level 4, Virtual System Name, Device Name, Device Group, Audit Comment
but it also specifies that these additional fields are "not in the default format"

We expect the format of the following instead
Format: FUTURE_USE, Receive Time, Serial Number, Type, Subtype, FUTURE_USE, Generated Time, Host, Virtual System, Command, Admin, Client, Result, Configuration Path,Sequence Number, Action Flags, Device Group Hierarchy Level 1, Device Group Hierarchy Level 2, Device Group Hierarchy Level 3, Device Group Hierarchy Level 4, Virtual System Name, Device Name, Device Group, Audit Comment

FIELDS = "future_use1","receive_time","serial_number","log_type","log_subtype","future_use2","generated_time","host_name","vsys","command","admin","client","result","configuration_path","sequence_number","action_flags","devicegroup_level1","devicegroup_level2","devicegroup_level3","devicegroup_level4","vsys_name","dvc_name"
@lumpymilk lumpymilk added the bug label Jul 18, 2023
@paulmnguyen paulmnguyen self-assigned this Jul 18, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@paulmnguyen paulmnguyen

Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@paulmnguyen @lumpymilk