Hi Team,
Palo Alto logs have been successfully send to our Syslog server. And our Syslog server acts as a Heavy Forwarder hence we have installed the Add-on "Palo Alto Networks Add-on for Splunk" (https://splunkbase.splunk.com/app/2757") in our Syslog Heavy Forwarder server.
As per the document provided in the Add-On we have changed the sourcetype to pan:log and when we searched the logs in Splunk the data split into three sourcetypes as pan:traffic , pan:threat & pan:system.
Now the issue seems to be with the Field Extractions. The field extractions are not happening as expected.
The PAN OS version is 9.0.5 and the fields are not getting extracted as per the props.conf and transforms.conf present in the installed Add-On.
So kindly let me know how to fix the issue.
Hi,
Have you installed Palo Alto add-on on search head ? If not then you need to install that on Search Head as well for field extraction.
Hi,
Have you installed Palo Alto add-on on search head ? If not then you need to install that on Search Head as well for field extraction.
@harsmarvania57,
Thank you for your response.
I was in assumption that Field Extractions will work if we install the Add-On in Heavy Forwarder itself. Since we have done for Cisco -Asa Add-on that is we have installed the Add-on in the Heavy Forwarder post which the fields were automatically extracted in Splunk Cloud.
So what is the necessity to install the Add-on on search head as well? Kindly let us know.
I have already submitted a case to support to install the Add-on on our Splunk Cloud Search head as well but really want to know why it is mandate to install in Search head as well.
Have a look at https://splunk.paloaltonetworks.com/installation.html#where-to-install , you can see where Add-on installation require.
Additionally if you look at props.conf in Palo Alto Add-on then you can see below config, in below config REPORT-search
, FIELDALIAS-*
, LOOKUP-*
those work on Search Head.
[pan:traffic]
SHOULD_LINEMERGE = false
TIME_PREFIX = ^(?:[^,]*,){6}
MAX_TIMESTAMP_LOOKAHEAD = 32
REPORT-search = extract_traffic
FIELDALIAS-app = app as application
FIELDALIAS-virtual_system = vsys as virtual_system
# Field Aliases to map specific fields to the Splunk Common Information Model - Network Traffic
EVAL-vendor_action = action
LOOKUP-vendor_action = pan_vendor_action_lookup vendor_action OUTPUT action
# bytes, bytes_in, bytes_out
FIELDALIAS-dest_for_pan_traffic = dest_ip as dest
FIELDALIAS-dvc_for_pan_traffic = host as dvc
FIELDALIAS-protocol_for_pan_traffic = protocol as vendor_protocol
FIELDALIAS-src_for_pan_traffic = src_ip as src
Thank you for the valuable information. Let me get the Add-on and App installed in the Search head as well. And will update you of how it works.
Post installing the Add-on in Search Head the Field extractions are happening as expected. Thanks
@anandhalagarasan16021988 , After installing Add-on in SH, Do we have to configure the settings in GUI? or simply installing Add-on will work?
I just installed add-on on SH(havent configured) still its not parsing as expected.
We have installed the Add-On in two places .
1) Heavy Forwarder
2)Search Head
The logs are received in our Heavy Forwarder so field extractions will happen during indexing time.
And then we have installed the Add-On in Search head to do a search time field extractions.
Kindly note we have just installed the Add-on in both the places and we didn't performed any configuration.
During ingestion have you renamed the sourcetype as pan:log so that the logs would be segregated into three sourcetypes.
pan:traffic
pan:threat
pan:system
Then post installing the Add-ON then automatically field extractions would happen .
@anandhalagarasan16021988 Yes, I got the segregated sourcetypes. But my logs looks like below :
"< 14 >"Feb 17 14:19:33 xx.xx.xx.xx 1,2020/02/17 14:19:33,016401000908,TRAFFIC,end,2304,2020/02/17 14:19:33,35.xx.xx.xx.xx,xx.xx.xx.xx0.0.0.0,0.0.0.0,INET-GUEST-ACCESS,,,non-syn-tcp,vsys1,INTERNET,INTERNET,ae2,ae2,LOG_FWD_PROF_1,2020/02/17 14:19:33,727602,1,443,24892,0,0,0xc,tcp,allow,66,66,0,1,2020/02/17 14:18:01,0,any,0,20697326448,0x0,,0,1,0,aged-out,0,0,0,0,,FWRY94-WIFI-F1-02,from-policy,,,0,,0,,N/A,0,0,0,0,50f6973a-da2e-435d-8ba9-40c9ee826cd7,0--"
I cannot paste the screenshot here. At the beginning of the log, before Feb its showing "< 14 >".
Also, I cannot see src_ip, dst_ip etc.
This is how the log file looks when it has been segregated into three sourcetypes.
But in my logs i can able to see the src_ip and dest_ip fields.
Hi Team,
Palo Alto logs have been successfully send to our Syslog server. And our Syslog server acts as a Heavy Forwarder hence we have installed the Add-on "Palo Alto Networks Add-on for Splunk" in our Heavy Forwarder server.
Now the logs are getting ingested into Splunk with three different sourcetypes pan:traffic, pan:system, pan:threat but the field extractions are not happening as expected.
The PAN OS version is 9.0.5 So the props and transforms in the Add-On is not working as expected and getting the relevant fields extracted.
So kindly help on the request.