on 03-07-2017 08:10 AM - edited on 08-26-2019 12:44 PM by Retired Member
As of Palo Alto Networks App for QRadar version 1.1.0, we have exclusively switched to LEEF log format support. Below are the details on how to install our standard log extension. This will overwrite the custom properties to use standard log format.
If you re uninstall and re-install the Palo Alto Networks App for QRadar please be sure to uninstall this extension as well and re-install if needed.
Note: Uninstalling this extension will not restore LEEF format custom event properties. You will have to reinstall the app to get LEEF format to work.
We are using this extension to keep logs sent in standard format, because we send logs simultaneously to QRadar and to a syslog archive. Box is running 7.1.7.
There's a problem with Config logs. Messages are being sent with "Configuration Path", but fields "Before Change" and "After Change" are missing.
I installed App Palo Alto Networks for Qradar 1.1.1 and Palo Alto Networks Std Log Format for QRadar 1.0 in Qradar 7.3.1, but the app not display any information.
In contact with IBM Support they sayd:
"I see that the installation was successful however you still do not see any data. This is a matter that is supported by Palo Alto since we only take care of the installation.
Unfortunately, you will need to contact the vendor "Palo Alto" for any setup or configuration issues at their end."
Somebody can help-me about this problem?
I have never actually seen this app working. Right now with the latest version of the app (1.2.0) and the standard log formatting app all we can see is the "Network Incidents", everything else is Error: Request failed with status code 422
We are having the same issue as well no data shown in app which is really disappointing.
We have "Palo Alto Networks App for QRadar" installed on a QRadar.
But we are having problems checking events on log activity.
We can check the corresponding logs if we click on the graphs.
However, if we try to check an incident the log activity comes empty.
We've found the problem is reproduced because of an error in the AQL query that is generated by the app. The error is "username='null'". If we remove that "username='null'" or modify it by "username=null" the issue is fixed, but we need to do this manually every time we check an incident on the app and this is not the right way to use this app.
Do you know some way to fix this?