All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Does Palo Alto Networks Add-on for Splunk parse only SYSTEM messages?

stanislavmerzly
Engager
‎02-07-2019 11:30 AM

Hello!

I send events from PaloAlto Panorama to Splunk, and I have a problem.

I install the PaloAlto Add-on, but it doesn't work properly for me.

If i use my custom sourcetype, i see a lot of events, nearly 1000 in second.

If i use pan:firewall sourcetype - i see no events.

If i use pan:log sourcetype - i see only pan:system messages, for example like this (without [] brackets):

[<14>Feb 7 22:11:46 my-domain 1,2019/02/07 22:11:45,000702397372,SYSTEM,tls,0,2019/02/07 22:11:45,,panorama-auth-success,,0,0,general,informational,"Client authentication successful PAN-OS ver: 8.0.4 Panorama ver:8.1.5 Client IP: x.x.x.x Server IP: y.y.y.y Client CN: 012001003158",387069,0x0,0,0,0,0,,Panorama]

But usually, I receive a lot of protocol-related events (see below); does the App parse it?

[<14>Feb 7 22:12:32 my-domain 1,2019/02/07 22:12:32,001801012275,TRAFFIC,start,1,2019/02/04 16:18:07,x.x.x.x,y.y.y.y,0.0.0.0,0.0.0.0,Dddd,,,bittorrent,vsys1,trust,trust,ethernet1/11,ethernet1/12,Logs,2019/02/04 16:18:07,111853,1,44822,19023,0,0,0x4000,udp,allow,76,76,0,1,2019/02/04 16:18:07,0,any,0,66004439243,0x8000000000000000,x.x.x.x-y.y.y.y,Russian Federation,0,1,0,n/a,11,0,0,0,,spb-pan,from-policy,,,0,,0,,N/A,0,0,0,0]

By the way, you can see panorama version (PAN-OS ver: 8.0.4 Panorama ver:8.1.5). So, i have several PaloAlto NGFW, that sends data to Panotama.

Does anybody have any advice for me on what to do and how it is possible to automatically parse all events?

0 Karma
Reply

stanislavmerzly
Engager
‎02-08-2019 04:47 AM

I will write an answer for me - i don't know why, but events appears in splunk index after near 45 min. So, i have an 45 min delay before i will see all events.
alt text

Preview file
50 KB
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Thanks for the Memories! Splunk University, .conf25, and our Community

Thank you to everyone in the Splunk Community who joined us for .conf25, which kicked off with our iconic ...

Data Persistence in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. What happens if the OpenTelemetry collector ...

Introducing Splunk 10.0: Smarter, Faster, and More Powerful Than Ever

Now On Demand Whether you're managing complex deployments or looking to future-proof your data ...