Github user justinleet commented on the issue:
https://github.com/apache/metron/pull/579
from @ctramnitz on the PR I made against his branch.
> However, I'm not sure the result for is really as expected.
> It shouldn't be "<11>Jan 5 05:38:59 PAN1.exampleCustomer.com 1", but just
"1". The rest is the Syslog header.
>
> Is the PaloParser called against the entire syslog line or after the
header has been stripped out?
Keeping in mind, that I'm definitely not an expert on this, here's what
I've dug up. If anybody has more expertise / insight, I'd be happy for the
contribution.
Looking over it, the full log line. Check out
metron-platform/metron-integration-test/src/main/sample/data/SampleInput/PaloaltoOutput
Looking at
https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/framemaker/60/pan-os/pan-os.pdf
for the 6.0 fields, they are
```
FUTURE_USE
Receive Time
Serial Number
Type
Subtype
FUTURE_USE
Generated Time
Source IP
Destination IP
NAT Source IP
NAT Destination IP
Rule Name
Source User
Destination User
Application
Virtual System
Source Zone
Destination Zone
Ingress Interface
Egress Interface
LogForwarding Profile
FUTURE_USE
Session ID
Repeat Count
Source Port
Destination Port
NAT SourcePort
NAT Destination Port
Flags
Protocol
Action
Miscellaneous
Threat ID
Category
Severity
Direction
Sequence Number
Action Flags
Source Location
Destination Location
FUTURE_USE
Content Type
PCAP_id*
Filedigest*
Cloud*
```
The field we pull out as `palo_alto_domain` appears to be a `FUTURE_USE`
field. There also doesn't appear to something that would obviously correspond
to the PaloAltoDomain field (unless I can't read, which has happened before).
The field we call `time_logged` also appears to be `FUTURE_USE`. There's
also another FUTURE_USE, but I think I misread something because it didn't line
up like I expected (and the specifics aren't actually super important).
It makes me question how reliable anything labelled FUTURE_USE is (although
that doesn't stop us from looking at it and labelling it).
---
