I was wondering if someone could help me properly tag my Palo Alto events
they come in like the following but don't match the transform listed in the default: Jan 18 07:11:24 pan.network.local 07: 11:24,0005C100436,TRAFFIC,end,1,2012/01/18 07:11:23,100.111.133.229,65.55.202.157,0.0.0.0,0.0.0.0,Base_Policy,,,live-mesh-base,vsys1,trust,untrust,ae1,ae2,Enterprise Forwarding,2012/01/18 07:11:23,351785,1,61561,443,0,0,0x0,tcp,allow,57679,57679,0,15,2012/01/18 07:08:51,150,internet-communications,0,879109,0x0,United States,United States,0,15,0
so i created my own but i think i'm missing something:
[extract_traffic] DELIMS = "," FIELDS = "junk", "serial", "log_type", "log_subtype", "config_ver", "time_generated", "src_ip","dst_ip", "nat_src_ip", "nat_dst_ip", "rule", "src_user", "dst_user", "app", "vsys", "src_zone", "dst_zone", "src_interface","dst_interface", "log_fwd_profile", "time_logged", "session_id", "repeat_cnt", "src_port", "dst_port", "nat_src_port", "nat_dst_port", "flags", "proto", "action", "bytes", "bytes_sent", "bytes_received", "packets", "time_started", "elapsed", "padding"
anyone able to help speak to what each field should be in my sample log to get this app to fully work?