PA firewall logs ingested in Splunk Cloud without field extractions

[dchen-ae]

Describe the bug

PA firewall logs ingested in Splunk Cloud without field extractions.

Expected behavior

pan:firewall sourcetype should be transformed into pan:traffic, pan:threat, pan:system, pan:config with fields extracted

Current behavior

pan:firewall sourcetype is not being transformed and field extractions are not working in Splunk Cloud

Possible solution

If I send the logs from PA -> syslog server -> heavy forwarder -> Splunk Cloud then the logs get fields extracted.
But sending directly from PA -> syslog server -> Splunk Cloud does not work. Fields are not extracted.

Fix PA addon to transform logs when indexed in Splunk Cloud

Steps to reproduce

1. Configure syslog server to receive logs from PA firewalls
2. Install Palo Alto Networks Add-on & App in Splunk Cloud
3. Configure log forwarding in PA firewall to send logs to syslog server
4. Configure Splunk Universal Forwarder on the syslog server to send PA firewall logs to Splunk Cloud

Context

Would like to send the firewall logs directly to Splunk Cloud and remove the dependency on a heavy forwarder.

Your Environment

Splunk Cloud Version: 9.1.2308.203
Palo Alto Networks Add-on for Splunk: 8.1.1
syslog-ng: 4.6
PA firewall: 10.2.7-h3

Palo Alto - Syslog Server Profile
Transport: TCP
Port: 514
Format: BSD
Facility: LOG_USER
Custom Log Format: Default

[arcsector]

What does your data look like?

[dchen-ae]

Using UF from syslog server to Splunk Cloud. Sample log <14>Mar 19 16:53:03 PA-FW01 1,2024/03/19 16:53:03,123456789012,TRAFFIC,end,2562,2024/03/19 16:53:03,10.0.0.10,170.85.69.65,111.11.111.1,170.85.69.65,Internal-Out-App,,,zscaler-internet-access,vsys1,inside,outside,ae4,ae3,default,2024/03/19 16:53:03,2310425,1,57279,443,18228,443,0x44001c,tcp,allow,1044,562,482,9,2024/03/19 16:52:45,0,Category_Wildcard,,7332235240441019959,0x8000000000000000,10.0.0.0-10.255.255.255,United States,,5,4,tcp-fin,0,0,0,0,Internet-VSYS,INAP-PAFW01,from-policy,,,0,,0,,N/A,0,0,0,0,f221d4f3-299c-45ec-bfa8-87f40604b502,0,0,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,2024-03-19T16:53:03.857+00:00,,,proxy,networking,browser-based,1,has-known-vulnerability,,zscaler-internet-access,no,no,0