This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Dataset name change

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Dataset name change

Go to solution
JahidAliyev
L2 Linker

‎02-27-2024 03:19 AM

Hello, 

 

I have linux logs which comes as:
[INGEST:vendor="unknown", product="unknown", target_dataset="unknown_unknown_raw", no_hit = drop]

 

It is collected under the dataset name called "unknown_unknown_raw". But I want to change its dataset name to something else. How can I do that?

0 Likes Likes
3 accepted solutions

Accepted Solutions

Go to solution
jmazzeo
L5 Sessionator
In response to JahidAliyev

‎02-27-2024 04:56 AM - edited ‎02-27-2024 04:57 AM

Then your best option is:

- Go to your Broker VM, edit the Syslog configuration, and then hardcode the vendor and product fields with the source IP of the logs. Take a look at this example in my lab:

jmazzeo_0-1709038334736.png

- This will create a NEW dataset with the configured fields like this: vendor_product_raw

 

We have our doc here with more Parsing Rule info: https://docs-cortex.paloaltonetworks.com/r/Cortex-XSIAM/Cortex-XSIAM-Administrator-Guide/Create-Pars...

 

There is a webinar available here with some very useful basic concepts: https://live.paloaltonetworks.com/t5/cortex-xdr-webinars/cortex-customer-success-webinar-series-part...

 

JM

View solution in original post

0 Likes Likes

Go to solution
jmazzeo
L5 Sessionator
In response to JahidAliyev

‎02-27-2024 05:28 AM

  • You can go to Settings - Data Broker - Broker VM, click on the Syslog Applet and select "Configure".

jmazzeo_0-1709040232198.png

  • You can edit the default rule without any specific IP, and there change the Vendor and Product.

jmazzeo_1-1709040383726.png

 

jmazzeo_2-1709040413932.png

 

  • The "Syslog Collector" settings works like a firewall rule, works from the top to the bottom. You can have specific rules with IPs on top, and a default one without that setting configured in the last position.

jmazzeo_3-1709040524130.png

 

JM

View solution in original post

0 Likes Likes

Go to solution
JahidAliyev
L2 Linker
In response to jmazzeo

‎02-27-2024 05:36 AM

@jmazzeo I understand, thank you. And, please, can you answer this:

As you know PaloAlto has recently changed their licenses for Cortex XDR. As I know before it was Data Lake license with TBs but now, it is GB/per day. How can I calculate how much GB I need to buy for fully take advantage of this. Is there any sizing method? 

View solution in original post

0 Likes Likes
7 REPLIES 7

Go to solution
jmazzeo
L5 Sessionator

‎02-27-2024 04:38 AM

Hi @JahidAliyev, thanks for reaching us using the Live Community.

Are you using Broker VM Syslog to forward those logs to the console?

JM
0 Likes Likes

Go to solution
JahidAliyev
L2 Linker
In response to jmazzeo

‎02-27-2024 04:42 AM

Hi @jmazzeo, yes, i am using Broker VM

0 Likes Likes

Go to solution
jmazzeo
L5 Sessionator
In response to JahidAliyev

‎02-27-2024 04:56 AM - edited ‎02-27-2024 04:57 AM

Then your best option is:

- Go to your Broker VM, edit the Syslog configuration, and then hardcode the vendor and product fields with the source IP of the logs. Take a look at this example in my lab:

jmazzeo_0-1709038334736.png

- This will create a NEW dataset with the configured fields like this: vendor_product_raw

 

We have our doc here with more Parsing Rule info: https://docs-cortex.paloaltonetworks.com/r/Cortex-XSIAM/Cortex-XSIAM-Administrator-Guide/Create-Pars...

 

There is a webinar available here with some very useful basic concepts: https://live.paloaltonetworks.com/t5/cortex-xdr-webinars/cortex-customer-success-webinar-series-part...

 

JM
0 Likes Likes

Go to solution
JahidAliyev
L2 Linker
In response to jmazzeo

‎02-27-2024 05:16 AM

@jmazzeo  As I understand I cannot change it directly. I need to change it from syslog collector. What if I have many linux endpoints that each sends logs to Broker VM. Do I need to do this action manually? I mean source IP is different for each linux endpoint. 

0 Likes Likes

Go to solution
jmazzeo
L5 Sessionator
In response to JahidAliyev

‎02-27-2024 05:28 AM

  • You can go to Settings - Data Broker - Broker VM, click on the Syslog Applet and select "Configure".

jmazzeo_0-1709040232198.png

  • You can edit the default rule without any specific IP, and there change the Vendor and Product.

jmazzeo_1-1709040383726.png

 

jmazzeo_2-1709040413932.png

 

  • The "Syslog Collector" settings works like a firewall rule, works from the top to the bottom. You can have specific rules with IPs on top, and a default one without that setting configured in the last position.

jmazzeo_3-1709040524130.png

 

JM
0 Likes Likes

Go to solution
JahidAliyev
L2 Linker
In response to jmazzeo

‎02-27-2024 05:36 AM

@jmazzeo I understand, thank you. And, please, can you answer this:

As you know PaloAlto has recently changed their licenses for Cortex XDR. As I know before it was Data Lake license with TBs but now, it is GB/per day. How can I calculate how much GB I need to buy for fully take advantage of this. Is there any sizing method? 

0 Likes Likes

Go to solution
jmazzeo
L5 Sessionator
In response to JahidAliyev

‎02-27-2024 05:38 AM

Yes, there is a sizing method available. Please talk with your PANW Sales contact and they will help you with that.

 

If you found any of the previous replies as the answer to the inquiry, please mark it as the solution.

JM
0 Likes Likes
  • 3 accepted solutions
  • 1297 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks