Hello!
I have a problem with Palo_Alto_Firewall_Event_Collector logs severity levels.
Collector works, but all logs are registred as severity 1. I collect only THREAT logs from Palo Alto and use default syslog format. As i understand, collector registres that vendor_severity value dosen’t exist and uses rule(taken from workgroup0.xml):
<ses-processor-spec enabled="true" name="populate severity if it is empty">
<match-criteria fieldName="severity">
<value>NOTEXIST</value>
</match-criteria>
<event-field name="severity">1</event-field>
</ses-processor-spec>
I saved syslog packets and saw that severity is sent like:
…,SMB.User.Password.Brute-force.Attempt(40004),any,high,client-to-server,…
I’m using SSIM 4.8 and PAN-OS 4.1.8, collector is updated with LiveUpdate. Maybe someone here have had same issue or has any good ideas?
Thanks in advance!