Yes I did.
I started with a configuration worked (PAN FW sends threat log and CPPM uses CoA to change authorization). What I did has been:
- Modify the dictionary in order to match a new syslog event;
- Associated the nre dictionary just created in Configuration--Network-Event Sources
- Generare new syslog event and testing.
For troubleshooting I checked .pcap and igesyslog.log the format of syslog event. It seem ok
I check my matching rule in dictionary with http://grokconstructor.appspot.com/do/match. It seem ok
What I've not able to do is troubleshooting regarding parsing of syslog.