All Apps and Add-ons

Palo Alto Apps not showing any data

raomu
Explorer

The way syslog is setup is the firewall is forward to the management platform and this will forward the syslog into splunk. So we are getting the logs from management platform in Splunk in our default indexer which "AAA" and default source type "BBB" .

We have also installed Palo Alto add-on to indexers (in cloud) and also deployed palo Alto app on search head .

we have created a props.conf and transforms.conf which is segrating the Palo Alto data from default soucertype "AAA" to "pan:logs" . So now we have palo alto data coming in to our default indexer "AAA" and soucertype "pan:logs" .

Now, I have seen in some of the articles where it mention that in case of palo alto the index is suppose to be "pan_log" and soucretype is "pan_log" . is this something what I need to do in order to see data to be populated in Palo Alto app in spunk ?

please suggest..

Tags (2)

raomu
Explorer

give me stats with 6 nodes

0 Karma

raomu
Explorer

I believe its not pulling all the nodename, What I get is :

log
log.file

log.system

log.traffic
log.traffic.end
log.traffic.start

but there are some which I know I am missing. For example nodename="log.correlation" like this there might others also, which I am not sure.

0 Karma

HiroshiSatoh
Champion

Please check subtype setting.

| tstats summariesonly=t count from datamodel="pan_firewall" GROUPBY nodename log.log_subtype
0 Karma

raomu
Explorer

nodename log.log_subtype
log deny
log drop
log end
log file
log general
log start
log url-filtering

0 Karma

raomu
Explorer

log.file file
log.system general
log.system url-filtering
log.traffic deny
log.traffic drop

0 Karma

HiroshiSatoh
Champion

I think there is no problem. Is not it just that the data of the dashboard I want to see does not exist?

Please check troubleshooting and check again.
https://splunk.paloaltonetworks.com/troubleshoot.html

0 Karma

raomu
Explorer

Thanks for all your help. I had already gone though that link, didn’t help much. I have a case open with Splunk tomorrow let’s see if they have to say anything on this. I will keep you posted the results. Thanks

0 Karma

raomu
Explorer

do we need to any configuration on add-on Side on search head ? I see there is a configuration tab.

0 Karma

raomu
Explorer

Hi,
I removed some settings which I made it earlier under our custom app for props.conf and transforms.conf for pan:log and pan:traffic. After I removed those settings, I am not able to get any logs in any source type. Could you please suggest, If I need to make those changes and this is how this app designed to work ?

we have custom app : AAA where we push props.conf and trasforms.conf

[dnb_PaloAlto_sourcetype_setting]
REGEX = ^\w+\s+\d+\s+\d+:\d+:\d+\s+(\w\w-\w+-panorama)
FORMAT = sourcetype::pan:log
DEST_KEY = MetaData:Sourcetype

[pan_traffic]
DEST_KEY = MetaData:Sourcetype

REGEX = ^[^,]+,[^,]+,[^,]+,TRAFFIC,
FORMAT = sourcetype::pan:traffic

TRANSFORMS-sub_sourcetype_PaloAlto

TRANSFORMS-sub_sourcetype_PaloAlto = pan_traffic


[pan_traffic]
rename = pan:traffic

[pan:traffic]

REPORT-search = extract_traffic

FIELDALIAS-app                       = app as application
FIELDALIAS-vsys                      = virtual_system as vsys
# Field Aliases to map specific fields to the Splunk Common Information Model - Network Traffic
EVAL-vendor_action                   = action
LOOKUP-vendor_action                 = pan_vendor_action_lookup vendor_action OUTPUT action
# bytes, bytes_in, bytes_out
FIELDALIAS-dest_for_pan_traffic      = dest_ip as dest
FIELDALIAS-dvc_for_pan_traffic       = host as dvc
FIELDALIAS-protocol_for_pan_traffic  = protocol as vendor_protocol
FIELDALIAS-transport                 = protocol as transport
FIELDALIAS-src_for_pan_traffic       = src_ip as src
FIELDALIAS-dest_category             = category as dest_category

# Set user field
EVAL-user                            = coalesce(src_user,dest_user,"unknown")
# Determine client and server ip address based on direction of flow
# There is no direction field in traffic logs, so assume source is client
EVAL-server_ip                       =  dest_ip
EVAL-client_ip                       =  src_ip
# Determine client and server geo location based on direction of flow
# There is no direction field in traffic logs, so assume source is client
EVAL-server_location                 = dest_location
EVAL-client_location                 = src_location

LOOKUP-vendor_info_for_pan_config    = pan_vendor_info_lookup sourcetype OUTPUT vendor,product,vendor_product
LOOKUP-pan_app                       = app_lookup app
# IP Classification based on ip_classification lookup table
# This lookup table can be modified by user to mark IP ranges,as serving specific purposes (eg. DMZ_Servers)
LOOKUP-src_class                     = classification_lookup cidr as src_ip OUTPUT classification as src_class
LOOKUP-dest_class                    = classification_lookup cidr as dest_ip OUTPUT classification as dest_class
LOOKUP-app_saas_class                = sanctioned_saas_lookup app OUTPUT sanctioned_saas as app:is_sanctioned_saas
0 Karma

HiroshiSatoh
Champion

Palo App needs to receive the source type with pan_log. Does pan_log setting exist?

0 Karma

raomu
Explorer

pan_log is define under props.conf anf transforms of Palo Alto App which is installed on all indexers and search Head as you suggested.

0 Karma

raomu
Explorer

All the devices logs comes to Network folder. In Network folder we have Palo Alto device logs as well.

under Inputs.conf

by default logs to network index and network source type

What I tried now is :

under input.conf added another stanza below :

[monitor:///path_of_log_file/*.log]
sourcetype = pan:log

but even this doesn't get anything in pan:log soucetype

0 Karma

HiroshiSatoh
Champion

If there is a log, it is obtained by pan: log. For the correct log, the source type is changed from pan: log to pan: XXX.

Can not really find the logs?
index=XX sourcetype = pan*

0 Karma

raomu
Explorer

I can see logs coming to correct sourctype, although I see only 3 out 4 soucetype.
Pan:log is not populating

Also, When I try to run this :
| tstats summariesonly=t count from datamodel="pan_firewall" GROUPBY nodename log.log_subtype

I get error msg "Error in 'TsidxStats': Could not find datamodel: pan_firewall"

Do I need rebuild data model ?

0 Karma

HiroshiSatoh
Champion

Pan:log is changed to other source type. It is OK not to be searched.

Please rebuild the data model.

0 Karma

raomu
Explorer

To rebuild data model, I need to click on settings->data model-> look for Plato Alto -> click Rebuild option ? That's all correct ?

0 Karma

HiroshiSatoh
Champion

Yes, it is.
If the aggregation period is displayed, it is below.

Summary Range
604800 second(s)->7Days

0 Karma

raomu
Explorer

Thanks For all your help. Although Its not completely fixed, I am still working on some of the dashboard, but we are very close. Thanks for all your guidance.

0 Karma

micahkemp
Champion

Yes, as stated in a previous answer, you really need these logs to be ingested as pan:log first. You're going to run into complications if you try to rewrite the sourcetype with a transform (as the PA TA does this as well).

0 Karma

raomu
Explorer

log.traffic end
log.traffic start
log.traffic.end end
log.traffic.start start

0 Karma

raomu
Explorer

log.file file
log.system general
log.system url-filtering
log.traffic deny
log.traffic drop
log.traffic end
log.traffic start
log.traffic.end end
log.traffic.start start

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...