topic Re: Logs from PaloAlto in Getting Data In

Logs from PaloAlto

Rabab — Fri, 19 Apr 2024 22:10:07 GMT

I have Splunk Installed on a windows machine and configured PaloAlto app along with Add on.

I have done configurations on Palo Alto. I can see from packet Capture that palo alto is sending logs successfully to the windows machine where splunk is installed but I cannot see anything in splunk itself. Can anyone help?

Regards

Rabab

Re: Logs from PaloAlto

P_vandereerden — Fri, 19 Apr 2024 23:13:45 GMT

Hi Rabab,

A few more details will be needed to help here.

Is your Palo Alto setup sending directly to Splunk, with a syslog server, or via an HF/UF?

Where have you tried looking for the data? Have you looked to see if any of your indexes are growing?

Re: Logs from PaloAlto

Rabab — Sat, 20 Apr 2024 00:36:49 GMT

Hello Paul,

Thank you for a quick response, Its direct from Palo to to Splunk. I am using Paloalto App and Add on, I am not seeing indexes growing at all. I tried looking at the data from Search option and try to match with various filters.

Regards

Rabab

Re: Logs from PaloAlto

PickleRick — Sat, 20 Apr 2024 06:24:13 GMT

I assume PAlto is sending events as syslog data. As you're using Windows I suspect you're not using any additional syslog receiver but want to receive syslog directly on your Splunk (which is not the best idea but let's leave it for now). Have you configured any inputs on your Splunk instance to receive the syslog events? Do you have proper rules in your server's firewall to allow for this traffic?

Re: Logs from PaloAlto

Rabab — Sat, 20 Apr 2024 11:01:31 GMT

Hello PickleRick,

I he created data input o allow udp14 traffic. So is index. Please check these screenshots for clarity,

192.168.3.5 is Palo Device and 192.168.3.1 is windows machine where Splunk is installed

Re: Logs from PaloAlto

PickleRick — Sat, 20 Apr 2024 18:22:15 GMT

That dump looks pretty much OK.

Are you 100% sure your udp:514 input sends to the right index? You can also try to find reports about that particular source of syslog data with

index=_internal source=*metrics.log group=udpin_connections 192.168.3.5

If Splunk is receiving data from this host on that udp input, you should get some results with metrics field like _udp_bps, _udp_eps and so on.

Re: Logs from PaloAlto

Rabab — Sat, 20 Apr 2024 19:27:42 GMT

I tried to query "

index=_internal source=*metrics.log group=udpin_connections 192.168.3.5

It did not come back with anything.

I believe i have configured the data input correctly and pointing to right index

Re: Logs from PaloAlto

PickleRick — Sat, 20 Apr 2024 20:03:40 GMT

At first glance looks pretty OK.

Check your windows firewall.

Re: Logs from PaloAlto

Rabab — Sat, 20 Apr 2024 20:08:54 GMT

For testing, I have disabled the windows firewall. But I can see that logs are actually arriving within the windows machine and Splunk is not picking them up.

Re: Logs from PaloAlto

PickleRick — Sat, 20 Apr 2024 20:16:59 GMT

Well, there are no miracles. I understand that the packets show up on the interface but apparently are not picked up by Splunk. Question is whether it listens on the port at all (even though the input is defined, something might be preventing Splunk from binding to the port).

Did you verify with netstat that the Splunk process is actually listening on this port?

(BTW, I don't remember if you don't need to restart splunkd after adding the input using WebUI or REST. You must do so if you change inputs by config files).

Re: Logs from PaloAlto

Rabab — Sat, 20 Apr 2024 22:58:56 GMT

update: I have gone over the configs and

index=_internal source=*metrics.log group=udpin_connections 192.168.3.5

is giving following output.

Re: Logs from PaloAlto

PickleRick — Sun, 21 Apr 2024 07:09:41 GMT

We're getting somewhere 🙂

As you can see some non-zero values, it means that some data is indeed being received by the udp input. Now we need to find where it goes to.

By the fact that it's a windows installation and because it's called "DESKTOP-something" I assume that it's your private test box and you're not having a lot of data on it. So you can run a

index=*

search over "All time (real-time)" - this is one of the very very rare cases where real-time search makes sanes. Very important - don't try this on any production or heavily loaded test box.

With this you can see the events as they come into your Splunk box (so if your events are rare you might to wait a while). Check the index, source, sourcetype and timestamp of the incoming events.

Another way to find where those events are could be to run

| tstats count where index=* by source sourcetype index

Re: Logs from PaloAlto

Rabab — Sun, 21 Apr 2024 08:30:51 GMT

Its all working now, Thank you for your help

Re: Logs from PaloAlto

PickleRick — Sun, 21 Apr 2024 09:28:33 GMT

For future reference so that if someone finds this thread has full information - tell us what did you do to make things work in the end/what was the problem.