Graylog Palo Alto TCP input stopped working

We recently upgraded our CentOS box and also updated Graylog to the latest 4.2.3 version in light of Log4j vulnerability.

Everything seems to work apart from the built in Palo Alto TCP input. I deleted it and created a new one but the problem persists.

We’re also seeing a lot of (probably related to this):
failed to parse field [event_received_time] of type [date] in document with id

Could you please point me to which logs need to be analyzed and what else should I be looking at?

Hello there

The Graylog log file is usually found at /var/log/graylog-server/server.log this should contain some clues as to why your Palo Alto TCP input is stopping.

Regarding the parsing failures, you could take a peek in System → Streams → “Processing and Index Failures” Stream, any message that fails to parse should land here. From there you can figure out which input it was sent to, and why it wasn’t parsed by that input.

1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.