I just found what seems to be a minor issue with the syslog processing on the Windows Agent which doesn't appear in the agentless processing under PANOS.
I have migrated from agentless to a server based agent which is why I spotted this. I have two syslog filters I use, one is based on a regex and the other was a field based one as the messages were a lot simpler.
The regex one was working fine when I ported it across but I found that the field based one was messing up my user names. The messages are in the format
RadAcct username:xxxx ip:220.127.116.11
So nice and simple. Using "RadAcct" as my event string, "username:" as the user ID, "ip:" as the ID for the ip address and "\s" as the delimiter for both, that worked fine on PANOS. What I found on the windows agent was that the usernames were coming out as ":xxxx ip:18.104.22.168" The IP addresses were being picked out OK, it was just not delimiting the username.
I have worked around it by changing it to a regex but I thought you may be interested to know.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!