LEEF Log Format to Standard Log Format Extension

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.
L2 Linker
100% helpful (1/1)

 As of Palo Alto Networks App for QRadar version 1.1.0, we have exclusively switched to LEEF log format support. Below are the details on how to install our standard log extension. This will overwrite the custom properties to use standard log format. 

 

  1. Download extension attached.
  2. In the QRadar console navigate to the "Admin" tab
  3. Click on "Extensions"
  4. Install the extension provided
  5. You will need to confirm that you want to overwrite the current extensions

If you re uninstall and re-install the Palo Alto Networks App for QRadar please be sure to uninstall this extension as well and re-install if needed.

 

Note: Uninstalling this extension will not restore LEEF format custom event properties. You will have to reinstall the app to get LEEF format to work.

 

 

Rate this article:
Comments
L0 Member

Hello,

 

We are using this extension to keep logs sent in standard format, because we send logs simultaneously to QRadar and to a syslog archive. Box is running 7.1.7.

 

There's a problem with Config logs. Messages are being sent with "Configuration Path", but fields "Before Change" and "After Change" are missing.

L0 Member

Hi everybody

 

I installed App Palo Alto Networks for Qradar 1.1.1 and Palo Alto Networks Std Log Format for QRadar 1.0 in Qradar 7.3.1, but the app not display any information.

 

In contact with IBM Support they sayd:

 

"I see that the installation was successful however you still do not see any data. This is a matter that is supported by Palo Alto since we only take care of the installation.

Unfortunately, you will need to contact the vendor "Palo Alto" for any setup or configuration issues at their end."

 

Somebody can help-me about this problem?

L0 Member

Hi everybody

 

Facing similar issue. We installed App Palo Alto apps for Qradar 1.2.0 successfully. But, the dashboard for the app is not displaying any information.  All Zeros

 

Somebody can help us about this problem?

L0 Member

did anyone get a response or resolution to the Palo Alto app not showing any data? 

 

 

L4 Transporter

I have never actually seen this app working. Right now with the latest version of the app (1.2.0) and the standard log formatting app all we can see is the "Network Incidents", everything else is Error: Request failed with status code 422 

L2 Linker

We are having the same issue as well no data shown in app which is really disappointing.

L0 Member

Hello,

We have "Palo Alto Networks App for QRadar" installed on a QRadar.
But we are having problems checking events on log activity.

We can check the corresponding logs if we click on the graphs.

However, if we try to check an incident the log activity comes empty.
We've found the problem is reproduced because of an error in the AQL query that is generated by the app. The error is "username='null'". If we remove that "username='null'" or modify it by "username=null" the issue is fixed, but we need to do this manually every time we check an incident on the app and this is not the right way to use this app.

 

Do you know some way to fix this?

 

Thanks 🙂

  • 34124 Views
  • 7 comments
  • 1 Likes
Register or Sign-in
Contributors
Article Dashboard
Version history
Last Updated:
‎08-26-2019 12:44 PM
Updated by:
Retired Member