The way syslog is setup is the firewall is forward to the management platform and this will forward the syslog into splunk. So we are getting the logs from management platform in Splunk in our default indexer which "AAA" and default source type "BBB" .
We have also installed Palo Alto add-on to indexers (in cloud) and also deployed palo Alto app on search head .
we have created a props.conf and transforms.conf which is segrating the Palo Alto data from default soucertype "AAA" to "pan:logs" . So now we have palo alto data coming in to our default indexer "AAA" and soucertype "pan:logs" .
Now, I have seen in some of the articles where it mention that in case of palo alto the index is suppose to be "pan_log" and soucretype is "pan_log" . is this something what I need to do in order to see data to be populated in Palo Alto app in spunk ?
please suggest..
The Palo Alto TA separates the different types of logs into different sourcetypes (pan:config
, pan:traffic
, etc). It does this by way of a TRANSFORM defined for the pan:log
sourcetype.
It sounds like you have your logs coming in as sourcetype AAA
, and your indexer is changing this via a TRANSFORM to pan:log
. The issue with this is the Palo Alto TA TRANSFORMS will never run against your data unless they first hit the indexer with the pan:log
sourcetype. It will not work for them to come in initially as something other than pan:log
(or pan_log
, as you've seen referenced as well). And this does require the TA to be in place on the indexer (or heavy forwarder, if that's where the logs go through one before reaching the indexer).
My suggestion is to find a way to get those logs sourcetyped correctly as pan:log
when they are first brought in to Splunk.
appreciate your response.
So, recently we finished installing Palo Alto App/add-on SH and indexers. One good thing is now that I am able to see 4 source type populating automatically:
Example :
index=AAA sourcetype=pan:*
I can see all 4 sourcetype now i.e
1) pan:log
2)pan:traffic
3)pan:system
4)pan:threat
But, I none of my dashboard in Palo Alto gives any result.
Please suggest.
Please look here
Where to install
It's recommended to install both the Palo Alto Networks App and Add-on on all Search Heads, Indexers, and Heavy Forwarders. Do not install on Universal Forwarders.
Also see props.conf in app(Palo Alto add-on). I think that if you do the same setting it will import correctly.
Thanks for your response.
We have installed Palo Alto add-on and App both on Search Head / Indexers.
So, Next you want me to try copying the Props.conf settings from Palo Alto App and add the same setting to Palo Alto Add-on ? Please confirm.
See [pan_log] in props.conf of TA_Palo. Adding the same settings to your props.conf will be imported correctly.
1) pan:log
2)pan:traffic
3)pan:system
4)pan:threat
But, I none of my dashboard in Palo Alto gives any result.
Please suggest.
What is the result of the execution below?
Acceleration of the data model may be disabled.Please rebuild the acceleration of the data model.
| tstats summariesonly=t count FROM datamodel="pan_firewall"
| tstats summariesonly=f count FROM datamodel="pan_firewall"
I ran this :
| tstats summariesonly=t count FROM datamodel="pan_firewall"
Result below :
Count
10898915
Since I got the count, do you still think Acceleration of the data model might be disabled ?
Thanks for your time and suggestion.
If you can search with summariesonly = t, speeding up the data model is okay. What is the percentage of status? Also check that the update date of the update is not stopped.
I checked under Data Model Audit and it shows status 100%
Also, It say logs Indexes for 24 hrs
Do you think we need to wait for sometime ?
MODEL
Datasets
6 Events Edit
Permissions
Shared in App. Owned by nobody. Edit
ACCELERATION
Rebuild Update Edit
Status
100.00% Completed
Access Count
159. Last Access: 1/10/18 1:08:47.000 AM
Size on Disk
39.02MB
Summary Range
604800 second(s)
Buckets
3365
Updated
1/10/18 1:10:10.000 AM
Let me know if you think we need to rebuild or what next ?
Once again thanks 🙂
Rebuilding is unnecessary. Is there a dashboard displayed on Palo's APP?
Which dashboard is not displayed?
What is the version of Palo, TA?
We have all default dashboard which comes with Palo Alto App, but none of them populate any data. The version we have 6.x
Are the following results displayed?
eventtype=pan|stats count by sourcetype
Yes. It shows 4 sourcetype with eventscount.
There seems to be no wrong setting.
Does not really display anything?
User Behavior>Traffic Events search sentence.
| tstats summariesonly=t latest(_time) AS _time, values(log.log_subtype) AS log.log_subtype, values(log.http_category) AS log.http_category, values(log.app:is_saas) AS log.app:is_saas, values(log.app:default_ports) AS log.app:default_ports, values(log.app) AS log.app, values(log.user) AS log.user, values(log.file_name) AS log.file_name, values(log.file_hash) AS log.file_hash, values(log.url) AS log.url, values(log.dest_name) AS log.dest_name, values(log.dest_port) AS log.dest_port, values(log.severity) AS log.severity, values(log.bytes_in) AS log.bytes_in, values(log.bytes_out) AS log.bytes_out count FROM datamodel="pan_firewall" WHERE (nodename="log.traffic" OR nodename="log.url" OR nodename="log.data") """" GROUPBY sourcetype log.serial_number log.session_id log.client_ip log.server_ip log.src_ip
| rename log.* AS * | search log_subtype="end" | stats count
When clicked on user behavior tab it’ shows me values in 2 panels. 1) Rare Appliaction 2) traffic events
Please also try this.
| tstats summariesonly=t count FROM datamodel="pan_firewall" GROUPBY nodename