Hello Everyone,
I am using Palo alto and Fortigate virtual appliances and testing it with LEM. Observed that most of the event information goes in to Extraneous field in the LEM's normalized events. With Palo Alto, observed that LEM is not able to understand the Palo Alto Custom Syslog format and most of the logs appear as unmatched string means it's not able to parse the data well. Why I am using cusotom syslog format is because the default log format of Palo Alto has limited fields in the syslog message and doesn't give meaningful information or rather you can not derive what exactly happened from the default syslog format.
The firmware/software version I am using for FG and PA are as below.
Fortigate: v5.4.0,build1011 (GA)
Palo Alto: 7.1.0
Fortigate 5.0+,2.8,2.5, 300C connectors enabled
Palo Alt: Enabled PA2000 and PA4000 connector which is the only connector available
So just wanted to check if anyone is already managing these two devices with LEM and facing the same issue or if I am missing something over here.