Github user justinleet commented on the issue: https://github.com/apache/metron/pull/579 from @ctramnitz on the PR I made against his branch. > However, I'm not sure the result for is really as expected. > It shouldn't be "<11>Jan 5 05:38:59 PAN1.exampleCustomer.com 1", but just "1". The rest is the Syslog header. > > Is the PaloParser called against the entire syslog line or after the header has been stripped out? Keeping in mind, that I'm definitely not an expert on this, here's what I've dug up. If anybody has more expertise / insight, I'd be happy for the contribution. Looking over it, the full log line. Check out metron-platform/metron-integration-test/src/main/sample/data/SampleInput/PaloaltoOutput Looking at https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/framemaker/60/pan-os/pan-os.pdf for the 6.0 fields, they are ``` FUTURE_USE Receive Time Serial Number Type Subtype FUTURE_USE Generated Time Source IP Destination IP NAT Source IP NAT Destination IP Rule Name Source User Destination User Application Virtual System Source Zone Destination Zone Ingress Interface Egress Interface LogForwarding Profile FUTURE_USE Session ID Repeat Count Source Port Destination Port NAT SourcePort NAT Destination Port Flags Protocol Action Miscellaneous Threat ID Category Severity Direction Sequence Number Action Flags Source Location Destination Location FUTURE_USE Content Type PCAP_id* Filedigest* Cloud* ``` The field we pull out as `palo_alto_domain` appears to be a `FUTURE_USE` field. There also doesn't appear to something that would obviously correspond to the PaloAltoDomain field (unless I can't read, which has happened before). The field we call `time_logged` also appears to be `FUTURE_USE`. There's also another FUTURE_USE, but I think I misread something because it didn't line up like I expected (and the specifics aren't actually super important). It makes me question how reliable anything labelled FUTURE_USE is (although that doesn't stop us from looking at it and labelling it).
---