All Apps and Add-ons

Is it possible to pull the host/server name from the Palo Alto log files with the Splunk Add-On for Palo Alto Networks?

OldManEd
Builder

Does anyone know if it is possible to pull the host/server name from the Palo Alto log files with the Splunk Add-On app for the source and destination devices? I have a search that pulls the IPs for both of these devices, but I can't find the server names? I use the pan:traffic sourcetype and am running the 3.5.0 release of the add-on. I was asked to see if I can add the source/destination device names to the resulting report from a search and am having a devil of a time trying to get that data.

If there is no way that the add-on can produce this data, does anyone have a suggestion on how I might be able to query for that information?

Thanks in advance.

0 Karma
1 Solution

adonio
SplunkTrust
SplunkTrust

hello there,
the add-on only adds schema to PAN logs. it cant add information that does not exist or is not aware of
iirc the PAN logs only have ip, you can enrich this data with dns lookup.
otherwise, check if you have that data in PAN and enable the correct logging rules from PAN consule

hope it helps

View solution in original post

0 Karma

adonio
SplunkTrust
SplunkTrust

hello there,
the add-on only adds schema to PAN logs. it cant add information that does not exist or is not aware of
iirc the PAN logs only have ip, you can enrich this data with dns lookup.
otherwise, check if you have that data in PAN and enable the correct logging rules from PAN consule

hope it helps

View solution in original post

0 Karma

OldManEd
Builder

Adonio,
Thanks for the info. Unfortunately, I don't have access to the PAN console, nor do I have any authority to make any changes. So I'm left with the enrichment route, but I don't have any experience with running a DNS lookup in Splunk. Could you possibly point me to where I can find that procedure?
~Ed

0 Karma

adonio
SplunkTrust
SplunkTrust

hello Ed,
you would probably want to create a lookup, or upload to splunk if you have one. than you can use the | lookup command. many examples in this portal, here is one:
https://answers.splunk.com/answers/105246/dns-resolution-in-a-search.html
hope it helps

0 Karma

OldManEd
Builder

Thanks, but unfortunately that will not work. I am familiar with creating and using lookup tables but the amount of servers we have internally would prohibit that. Also, the external URLs are not static, problem number 2. I was wondering if there was a Splunk DNS lookup by IP command that I could use somehow.
~Ed

0 Karma

OldManEd
Builder

I think I found what I was looking for;

http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Configureexternallookups

<Search> | lookup dnslookup clientip | stats count by clienthost

~Ed

0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.