Palo Alto Networks Input quoted string with comma's

The Palo Alto Input doesn’t ignore commas in a quoted string, and therefore doesn’t index the fields properly.

Is there a way to configure the input to respect the quoted strings that Palo Alto sends in its messages?

The log received from Palo Alto looks like this:

1,2019/04/25 15:32:04,009900009999,SYSTEM,globalprotect,0,2019/04/25 15:32:04,,globalprotectportal-auth-succ,GP_PortalAdm_Optional,0,0,general,informational,"GlobalProtect portal user authentication succeeded. Login from: 10.0.0.1, Source region: DK, User name: pre-logon, Auth type: client certificate.",16657523,0x0,0,0,0,0,,PA-VM

Palo Alto Networks Input configuration (Only the system section listed below):

SYSTEM_TEMPLATE: position,field,type
1,receive_time,STRING
2,serial_number,STRING
3,type,STRING
4,content_threat_type,STRING
5,future_use1,STRING
6,generated_time,STRING
7,virtual_system,STRING
8,event_id,STRING
9,object,STRING
10,future_use2,STRING
11,future_use3,STRING
12,module,STRING
13,severity,STRING
14,description,STRING
15,sequence_number,STRING
16,action_flags,STRING
17,device_group_hierarchy_l1,STRING
18,device_group_hierarchy_l2,STRING
19,device_group_hierarchy_l3,STRING
20,device_group_hierarchy_l4,STRING
21,virtual_system_name,STRING
22,device_name,STRING

All the fields down to position 14 are correct. The Description field and the following fields contains:

Description
"GlobalProtect portal user authentication succeeded. Login from: 80.62.237.92

sequence_number
Source region: DK

action_flags
User name: pre-logon

device_group_hierarchy_l1
Auth type: client certificate."

device_group_hierarchy_l2
16657523

I don’t see any option on the Input that would allow me to control the parsing of quoted strings. Nor have I been able to find any helpful information on the topic.

It would probably be possible to do this with a standard Syslog input and some GROK patterns but that negates the purpose of the dedicated Palo Alto Input.

The setup is running on the OVA image and is running Graylog 3.0.1-2 with the graylog-integrations-plugins installed.

The Palo Alto Networks Input Plugin is installed with:

sudo apt-get install graylog-integrations-plugins

Found in the docs under Integrations (http://docs.graylog.org/en/3.0/pages/integrations/setup.html)

The Palo alto system is running Software Version 8.0.13.
The Syslog server is configured as TCP and format IETF, with the default log format.

would you mind opening a but report for that?

Created Issue #21
https://github.com/Graylog2/graylog-plugin-integrations/issues/21

Hi @Bat,
Thanks for reporting this issue. I have responded with additional details on the Github issue.