We already have the pan devices logging to our syslog-ng server. I have deployed the the following inputs.conf to the forwarder:
# syslog forwarder inputs
[monitor:///var/log/syslog/PaloAlto/]
host_segment = 5
index = pan_logs
sourcetype = pan_log
blacklist = \.(gz|bz2)$
Data is hitting the pan_logs index however none of the dashboards are populating. After looking at some of the searched I noticed other pan sourcetypes that are not being populated. I assume these are supposed to be rewritten at index time? . All data in the pan_logs index is sourcetype = pan_log. Any ideas ?