https://community.splunk.com/t5/Getting-Data-In/Palo-Alto-new-log-category-help/m-p/565157#M100580 <P class="p1"><SPAN>I have no idea what I need to do here (if anything), and the guy who has dealt with getting data in previously is on holiday for a while so any advice is much appreciated</SPAN></P><P class="p3"><SPAN class="s2">We upgraded our Palo Alto firewall to a newer version which has moved the VPN logs from the system category to a separate one for GlobalProtect (more info <A href="https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-new-features/globalprotect-features/enhanced-logging-for-globalprotect" target="_blank" rel="noopener"><SPAN class="s3">here</SPAN></A> ) </SPAN></P><P class="p3"><SPAN class="s2">When I noticed we weren’t receiving the VPN logs anymore, we got the firewall guys to forward the new log category to us and our Splunk guy assured me that we wouldn’t need to do anything else</SPAN></P><P class="p3"><SPAN class="s2">However, the logs are supposedly being forwarded to us now but Splunk isn’t showing them, at least not in the index we have for the Palo Alto logs. Is our Splunk guy wrong and we do actually have to manually set up the new sourcetype? Or have the firewall guys messed up (harder to check due to language barriers and time differences)</SPAN></P><P class="p3"><SPAN class="s2">I am pretty clueless about this so apologies if this is a silly question</SPAN></P> Sun, 29 Aug 2021 00:06:52 GMT LynneEss 2021-08-29T00:06:52Z https://community.splunk.com/t5/Getting-Data-In/Palo-Alto-new-log-category-help/m-p/565157#M100580 <P class="p1"><SPAN>I have no idea what I need to do here (if anything), and the guy who has dealt with getting data in previously is on holiday for a while so any advice is much appreciated</SPAN></P><P class="p3"><SPAN class="s2">We upgraded our Palo Alto firewall to a newer version which has moved the VPN logs from the system category to a separate one for GlobalProtect (more info <A href="https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-new-features/globalprotect-features/enhanced-logging-for-globalprotect" target="_blank" rel="noopener"><SPAN class="s3">here</SPAN></A> ) </SPAN></P><P class="p3"><SPAN class="s2">When I noticed we weren’t receiving the VPN logs anymore, we got the firewall guys to forward the new log category to us and our Splunk guy assured me that we wouldn’t need to do anything else</SPAN></P><P class="p3"><SPAN class="s2">However, the logs are supposedly being forwarded to us now but Splunk isn’t showing them, at least not in the index we have for the Palo Alto logs. Is our Splunk guy wrong and we do actually have to manually set up the new sourcetype? Or have the firewall guys messed up (harder to check due to language barriers and time differences)</SPAN></P><P class="p3"><SPAN class="s2">I am pretty clueless about this so apologies if this is a silly question</SPAN></P> Sun, 29 Aug 2021 00:06:52 GMT https://community.splunk.com/t5/Getting-Data-In/Palo-Alto-new-log-category-help/m-p/565157#M100580 LynneEss 2021-08-29T00:06:52Z https://community.splunk.com/t5/Getting-Data-In/Palo-Alto-new-log-category-help/m-p/565160#M100581 <P>It's not clear how you're receiving the logs and what's your configuration. <EM>Unless you're actively filtering the event categories</EM> the data should land somewhere if it is within the same syslog stream as the events you can see.</P><P>Did you confirm (tcpdump? some debug on your syslog layer if you use some intermediate solution) that the events are really getting sent?</P> Sun, 29 Aug 2021 06:39:54 GMT https://community.splunk.com/t5/Getting-Data-In/Palo-Alto-new-log-category-help/m-p/565160#M100581 PickleRick 2021-08-29T06:39:54Z