All Apps and Add-ons

Palo Alto App cannot see data but logs are seen as PAN:*

elliotbeken
New Member

I have installed the Palo Alto App and add-on and i have also pointed a firewall to Splunk.

I can see traffic, threat logs ETC under search but cannot see anything in the App.

sourcetype is being seen correctly such as:
sourcetype=pan:traffic
sourcetype=pan:threat

What am i doing wrong or not doing!

0 Karma

elliotbeken
New Member

Hi,

Thanks for the feedback.

I know its best to use a SySLog server rather then sending directly. This is a test setup for 1 firewall.

I have enabled data acceleration and there still seems to be nothing in the app!

This is my eventtypes.conf:

[pan]
search = sourcetype=pan_
OR sourcetype=pan:*
[pan_firewall]
search = sourcetype=pan:traffic OR sourcetype=pan:threat OR sourcetype=pan:config OR sourcetype=pan:system OR sourcetyp$

tags = network

[pan_config]
search = sourcetype=pan_config OR sourcetype=pan:config

tags = change

[pan_traffic]
search = sourcetype=pan_traffic OR sourcetype=pan:traffic

tags = network communicate

[pan_traffic_start]
search = sourcetype=pan_traffic OR sourcetype=pan:traffic AND log_subtype="start"

tags = network session start

[pan_traffic_end]
search = sourcetype=pan_traffic OR sourcetype=pan:traffic AND log_subtype="end"

tags = network session end

[pan_system]
search = sourcetype=pan_system OR sourcetype=pan:system

tags = update status

[pan_threat]
search = sourcetype=pan_threat OR sourcetype=pan:threat AND log_subtype != "url" log_subtype != "file" log_subtype != "$

tags = ids attack

[pan_file]
search = sourcetype=pan_threat OR sourcetype=pan:threat AND log_subtype = "file"

tags = web

[pan_url]
search = sourcetype=pan_threat OR sourcetype=pan:threat AND log_subtype = "url"

tags = web

[pan_data]
search = sourcetype=pan_threat OR sourcetype=pan:threat AND log_subtype = "data"

tags = web*

0 Karma

diogofgm
SplunkTrust
SplunkTrust

Hi elliotbeken,

As a best practice you should not be sending syslog data directly to splunk. Yes its possible to use splunk to receive TCP/UDP but its not recommended for production use. You'll end up losing data in case you restart that splunk instance. You should whenever possible use a syslog server to received the data. Then to index it you either use a forwarder or a syslog agent that is capable to output to Splunk's http event collector (HEC).

Regarding you issue with PAN App, validate that your datamodels have acceleration enabled and are able to access data. You can validate the first by going into settings >> datamodels and look for the yellow lightning next to each Palo Alto datamodel and you can test the second bit by using the pivot option and check if there are results showing up there.

------------
Hope I was able to help you. If so, some karma would be appreciated.
0 Karma

tscroggins
Influencer

The Palo Alto add-on and app also assume the index is in your default index list for search. If you're not using main or if the index is not in your default index list, you'll need to copy and modify all event types in both apps in addition to enabling data model acceleration, e.g.:

SplunkforPaloAltoNetworks/local/eventtypes.conf:

[pan_wildfire_report]
search = index=your_index (sourcetype=pan_wildfire_report OR sourcetype=pan:wildfire_report)

Splunk_TA_paloalto/local/eventtypes.conf:

[pan]
search = index=your_index (sourcetype=pan_* OR sourcetype=pan:*)

Replace "your_index" with your actual index. These are just examples. There are more event types in both apps.

0 Karma

diogofgm
SplunkTrust
SplunkTrust

I don't believe you need to change eventtypes. Palo Alto dashboards query their datamodels (pan_firewall, pan_aperture, etc) in most of the cases I've seen with summariesonly=t. This means it will return results from the accelerated data. Data models accelerations are done by splunk-system-user and not by the user it self, so the user's index list searched by default won't be a problem here.

------------
Hope I was able to help you. If so, some karma would be appreciated.
0 Karma

tscroggins
Influencer

You raise a good point about data models. I've purposefully modified the event types to 1) constrain the data models to a specific index and 2) allow users with varying default indexes to search by event type independent of the data model.

0 Karma

btorresgil
Builder

Hello,

Usually this is caused by one of these problems:

  1. Time or timezone issue. The dashboards show the last 60 minutes, so if the time of the logs is prior to that, nothing will show up in the dashboards.
  2. Datamodels Acceleration is disabled. Please check that all the Palo Alto Networks datamodels have acceleration enabled. Splunk makes us disable them by default. We recommend 7 days as a starting timeframe for datamodel acceleration.

Here's our troubleshooting guide for dashboards. It should guide you through checking these issues and correcting them:
https://splunk.paloaltonetworks.com/troubleshoot.html#dashboards-not-working

Get Updates on the Splunk Community!

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...