All Apps and Add-ons

No data showing on Splunk Palo Alto Networks App

tzhang1splunk
New Member

Hi,

I recently installed Splunk (5.0.3 trial version) with Palo Alto Apps version 3.2.1. When I connect to the PA-200 (ver 5.0) and set up PA box to send syslog to Splunk, I cannot see any data showing on the Splunk. I used Wireshark to check there are a lot of syslog traffic that were sent from PA-200 to the laptop that Splunk runs on. In the manager->data inputs->udp->514 config, I have source type: pan_log, host: ip, index: pan_logs.

Is there any reason why I don't see syslog data on Splunk?

Btw,I also checked following: when I go to the search app -> status -> server activity -> spunkd acitivity overview I saw following errors:

07-20-2013 23:26:14.420 -0400 ERROR SearchResults - Unable to open output file: path=C:\Program Files\Splunk\etc\users\admin\search\history\HPSSPTLTP019.csv.tmp error=The process cannot access the file because it is being used by another process.
 host=HPSSPTLTP019 Options|

 sourcetype=splunkd Options|

 source=C:\Program Files\Splunk\var\log\splunk\splunkd.log

07-20-2013 23:15:55.602 -0400 ERROR SearchResults - Failed to remove "C:\Program Files\Splunk\etc\users\admin\SplunkforPaloAltoNetworks\history\HPSSPTLTP019.csv.tmp2": The system cannot find the file specified.
 host=HPSSPTLTP019 Options|

 sourcetype=splunkd Options|

 source=C:\Program Files\Splunk\var\log\splunk\splunkd.log Options

Could that be the problem? If so, how do I fix it?

Thanks!
Tina

0 Karma

monzy
Communicator

hey Tina,

I think you have two different issues here. one is probably related to your splunk install and the other may be app related. lets focus on the app one for now.

what happens when you run this search by selecting All Time on the time selector ?

index=pan_logs | head 10

if you see results, ensure that the timestamps of the latest events are reasonably close to the current time in your timezone. the main dashboard is real-time. take a look at the other dashboards. are they empty too ? ensure that you select All Time in the time selector for those events.

if you dont' see logs as a result of this search and your dashboards are empty, ensure that the user you are logged in as, has access to the pan_logs index. you can confirm this by going to Manager, Access Controls, Roles, admin.Scroll down, in the Indexes section (last section), ensure that pan_logs is listed in the Selected search indexes.

monzy
Communicator

can you paste your palo alto app's input stanza here please ?

0 Karma

tzhang1splunk
New Member

monzy,

First by doing search as you instructed I got no event. then I changed the search indexes section and added pan_logs in the selected search indexes. Restarted the Splunk and still saw no event in the search result.

Tina

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...