- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Re: Palo Alto Apps not showing any data
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Palo Alto Apps not showing any data
The way syslog is setup is the firewall is forward to the management platform and this will forward the syslog into splunk. So we are getting the logs from management platform in Splunk in our default indexer which "AAA" and default source type "BBB" .
We have also installed Palo Alto add-on to indexers (in cloud) and also deployed palo Alto app on search head .
we have created a props.conf and transforms.conf which is segrating the Palo Alto data from default soucertype "AAA" to "pan:logs" . So now we have palo alto data coming in to our default indexer "AAA" and soucertype "pan:logs" .
Now, I have seen in some of the articles where it mention that in case of palo alto the index is suppose to be "pan_log" and soucretype is "pan_log" . is this something what I need to do in order to see data to be populated in Palo Alto app in spunk ?
please suggest..
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
nodename log.log_subtype
log deny
log drop
log end
log file
log general
log start
log url-filtering
log.file file
log.system general
log.system url-filtering
log.traffic deny
log.traffic drop
log.traffic end
log.traffic start
log.traffic.end end
log.traffic.start start
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I check under Data model Audit :
datamodel acceleration retention earliest latest build_inprogress build_complete(%) size(MB) last_error
pan_aperture enabled 7 days 12/31/1969 18:00:00 12/31/2037 22:00:00 0 100.0 37.2
pan_endpoint enabled 7 days 12/31/1969 18:00:00 12/31/2037 22:00:00 0 100.0 37.2
pan_firewall enabled 7 days 12/31/1969 18:00:00 12/31/2037 22:00:00 0 100.0 6258.7
pan_wildfire_report enabled 31 days 12/31/1969 18:00:00 12/31/2037 22:00:00 0 100.0 217.8
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I checked Datamodel Acceleration Status :
pan_aperture enabled 7 days 12/31/1969 18:00:00 12/31/2037 22:00:00 0 100.0 37.2
pan_endpoint enabled 7 days 12/31/1969 18:00:00 12/31/2037 22:00:00 0 100.0 37.2
pan_firewall enabled 7 days 12/31/1969 18:00:00 12/31/2037 22:00:00 0 100.0 6258.7
pan_wildfire_report enabled 31 days 12/31/1969 18:00:00 12/31/2037 22:00:00 0 100.0 217.8
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
When you say :
See [pan_log] in props.conf of TA_Palo. -- I understand this you asking me to check props.conf of Palo Alto Add-on, Which is not correct, we don't have any props.conf on add-on side i.e. TA_Plao
Adding the same settings to your props.conf will be imported correctly --- I didn't understand this part.
Let me know if I understand you correctly : Are you asking me to copy the [pan_log] which Is available in Palo Alto App but in Palo Alto TA ( add-on) to Palo Alto add-on ?
Also, the good part, after we install the Palo Alto app and add-on on indexers side, we are able to populate the 4 soucretype automatically :
1) pan:log
2)pan:traffic
3)pan:system
4)pan:threat
But, I none of my dashboard in Palo Alto gives any result.
Please suggest.
Announcing Scheduled Export GA for Dashboard Studio
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
