We are sending palo alto logs over UDP to a heavy fowarwarder which is forwarding logs to splunk cloud. The palo alto TA is not transforming the sourcetype correctly. In the indexed data the sourcetype is pan:log rather than pan:threat, pan:traffic etc. This is working fine in our on-prem environment.
The following is the stanza with our palo alto config.
[udp://50534]
connection_host = ip
sourcetype = pan:log
source = udp:50534
index = paloalto
disabled = 0
↧