Description of your problem
After upgrading from Graylog 4.0.13 / elasticsearch 6.8.12 to Graylog 4.2.1 / elasticsearch 6.8.20, I can no more receive Palo Alto 9.1.7 firewall logs with specific input "Palo Alto Networks TCP (PAN-OS v9+).
Input was working fine before upgrade, with the help of extractor to fix a time zone issue.
In Graylog server logs, I have the following errors :
2021-11-16T09:26:50.401+01:00 WARN [MessagesAdapterES6] Failed to index message: index=<palo_307> id= error=<{“type”:“mapper_parsing_exception”,“reason”:“failed to parse field [event_received_time] of type [date] in document with id ‘f222ec93-46b6-11ec-b38c-005056b4ad05’”,“caused_by”:{“type”:“illegal_argument_exception”,“reason”:“Invalid format: “2021-11-16T08:26:49.000Z” is malformed at “-11-16T08:26:49.000Z””}}>
Description of steps you’ve taken to attempt to solve the issue
I removed extractors.
I recreated input.
Environmental information
Graylog 4.0.13 / elasticsearch 6.8.12
Palo Alto 9.1.7 firewall
Operating system information
- CentOS : CentOS Linux release 8.4.2105
Package versions
-
Graylog
graylog-integrations-plugins-4.2.1-1.noarch
graylog-server-4.2.1-1.noarch
graylog-4.2-repository-1-4.noarch -
MongoDB
mongodb-org-server-4.2.17-1.el8.x86_64
mongodb-org-shell-4.2.17-1.el8.x86_64
mongodb-org-tools-4.2.17-1.el8.x86_64
mongodb-org-mongos-4.2.17-1.el8.x86_64
mongodb-org-4.2.17-1.el8.x86_64 -
Elasticsearch
elasticsearch-oss-6.8.20-1.noarch
