Hi ,
I installed the palo alto app on a fresh splunk. followed the instructions in the readme and saw Events coming from the PA firewall. But PAN Overview didn't show any counter or the Google Map(Waiting fpr search to complete). If i go to detailed tabs there are only the timeline no details. Is that all the app could do?
when you say you saw events coming in from the PA firewall, do you mean that you saw those events in Splunk ? are those events going to the pan_logs index ?
what happens when you run this search from the search bar:
index=pan_logs | head 100
what is the timestamp of the latest event ?
after i use chrome i see the raw data and all the other informations!!! With Firefox 17 no chane.
now i see nice bars in threat dashboard but in PAN Threat Collected i see only count 8 and no other information.
it is peculiar that you aren't seeing anything other than the timeline. you should be seeing the raw results when you ran your search. the app doesn't do anything to conceal the raw results. what browser and OS are you using ? have you closed all browser windows ?
have you looked at any of the other views beyond the main page ? e.g. traffic overview page or any of the content pages.
also, when you go to the search app -> status -> server activity -> spunkd acitivity overview do you see any errors ? if so, are those errors related to the Palo Alto app ?
sorry. i wanted to say add it also to indexes
PA-5000 and with the admin account. I only see the timeline no more details.
I installed the following apps:
MAXMIND MAXMIND 1.0.6
Splunk for use with AMMAP amMap
Google Maps maps 1.1.2
in Manager » Access controls » Roles » admin
i add "Indexes searched by default" -> pan_logs and add it also to pan_logs
are you logging into splunk with an admin account ? or some other user account ?
is the time correct for your timezone ? also, when you say, 'details beyond' you mean that you see raw data, and the google maps etc are all blank. the main, overview page, runs a realtime 5 minute window. if your clock isn't synched or if you dont have appropriate permissions for the index or if you don't have the appropriate apps installed, you won't see any results.
what kind of PA firewall do you have ?
Yes i saw those events in Splunk. I think they go to the pan_logs:
splunk>Manager>>Indeces:
pan_logs 500,000 None 1 1,522 Feb 27, 2013 10:08:41 AM Feb 28, 2013 9:29:10 AM /opt/splunk/var/lib/splunk/pan_logs/db SplunkforPaloAltoNetworks
the Output of the search :
100 events from 8:31:00 AM to 9:31:09 AM on Thursday, February 28, 2013
But again i only the the timeline and not details beyond.