I have installed the Palo Alto App and add-on and i have also pointed a firewall to Splunk.
I can see traffic, threat logs ETC under search but cannot see anything in the App.
sourcetype is being seen correctly such as:
sourcetype=pan:traffic
sourcetype=pan:threat
What am i doing wrong or not doing!
Hi,
Thanks for the feedback.
I know its best to use a SySLog server rather then sending directly. This is a test setup for 1 firewall.
I have enabled data acceleration and there still seems to be nothing in the app!
This is my eventtypes.conf:
[pan]
search = sourcetype=pan_ OR sourcetype=pan:*
[pan_firewall]
search = sourcetype=pan:traffic OR sourcetype=pan:threat OR sourcetype=pan:config OR sourcetype=pan:system OR sourcetyp$
[pan_config]
search = sourcetype=pan_config OR sourcetype=pan:config
[pan_traffic]
search = sourcetype=pan_traffic OR sourcetype=pan:traffic
[pan_traffic_start]
search = sourcetype=pan_traffic OR sourcetype=pan:traffic AND log_subtype="start"
[pan_traffic_end]
search = sourcetype=pan_traffic OR sourcetype=pan:traffic AND log_subtype="end"
[pan_system]
search = sourcetype=pan_system OR sourcetype=pan:system
[pan_threat]
search = sourcetype=pan_threat OR sourcetype=pan:threat AND log_subtype != "url" log_subtype != "file" log_subtype != "$
[pan_file]
search = sourcetype=pan_threat OR sourcetype=pan:threat AND log_subtype = "file"
[pan_url]
search = sourcetype=pan_threat OR sourcetype=pan:threat AND log_subtype = "url"
[pan_data]
search = sourcetype=pan_threat OR sourcetype=pan:threat AND log_subtype = "data"
Hi elliotbeken,
As a best practice you should not be sending syslog data directly to splunk. Yes its possible to use splunk to receive TCP/UDP but its not recommended for production use. You'll end up losing data in case you restart that splunk instance. You should whenever possible use a syslog server to received the data. Then to index it you either use a forwarder or a syslog agent that is capable to output to Splunk's http event collector (HEC).
Regarding you issue with PAN App, validate that your datamodels have acceleration enabled and are able to access data. You can validate the first by going into settings >> datamodels and look for the yellow lightning next to each Palo Alto datamodel and you can test the second bit by using the pivot option and check if there are results showing up there.
The Palo Alto add-on and app also assume the index is in your default index list for search. If you're not using main or if the index is not in your default index list, you'll need to copy and modify all event types in both apps in addition to enabling data model acceleration, e.g.:
SplunkforPaloAltoNetworks/local/eventtypes.conf:
[pan_wildfire_report]
search = index=your_index (sourcetype=pan_wildfire_report OR sourcetype=pan:wildfire_report)
Splunk_TA_paloalto/local/eventtypes.conf:
[pan]
search = index=your_index (sourcetype=pan_* OR sourcetype=pan:*)
Replace "your_index" with your actual index. These are just examples. There are more event types in both apps.
I don't believe you need to change eventtypes. Palo Alto dashboards query their datamodels (pan_firewall, pan_aperture, etc) in most of the cases I've seen with summariesonly=t
. This means it will return results from the accelerated data. Data models accelerations are done by splunk-system-user and not by the user it self, so the user's index list searched by default won't be a problem here.
You raise a good point about data models. I've purposefully modified the event types to 1) constrain the data models to a specific index and 2) allow users with varying default indexes to search by event type independent of the data model.
Hello,
Usually this is caused by one of these problems:
Here's our troubleshooting guide for dashboards. It should guide you through checking these issues and correcting them:
https://splunk.paloaltonetworks.com/troubleshoot.html#dashboards-not-working