03-13-2015 06:08 PM
I have a Splunk server that logs all Acitve Directory authentication events on my network. I have set up a syslog feed from the Splunk server to the Palo Alto. On the Palo Alto, I have created a syslog filter and added the Splunk as a User-ID syslog server.
The problem I have is that Splunk sends each logon event as a single syslog entry which contains carriage returns and new lines (\r and \n). From what I can tell, the Palo Alto to expects to receive each user/IP pair in a single line. This means that I cannot parse the syslog to extract the info as user ID and IP are on different lines within a single syslog entry. Any thoughts on this will be of much assistance to me
Thank you. Ram.