All Apps and Add-ons

Palo Alto Apps not showing any data

raomu
Explorer

The way syslog is setup is the firewall is forward to the management platform and this will forward the syslog into splunk. So we are getting the logs from management platform in Splunk in our default indexer which "AAA" and default source type "BBB" .

We have also installed Palo Alto add-on to indexers (in cloud) and also deployed palo Alto app on search head .

we have created a props.conf and transforms.conf which is segrating the Palo Alto data from default soucertype "AAA" to "pan:logs" . So now we have palo alto data coming in to our default indexer "AAA" and soucertype "pan:logs" .

Now, I have seen in some of the articles where it mention that in case of palo alto the index is suppose to be "pan_log" and soucretype is "pan_log" . is this something what I need to do in order to see data to be populated in Palo Alto app in spunk ?

please suggest..

Tags (2)

raomu
Explorer

nodename log.log_subtype
log deny
log drop
log end
log file
log general
log start
log url-filtering
log.file file
log.system general
log.system url-filtering
log.traffic deny
log.traffic drop
log.traffic end
log.traffic start
log.traffic.end end
log.traffic.start start

0 Karma

raomu
Explorer

I check under Data model Audit :
datamodel acceleration retention earliest latest build_inprogress build_complete(%) size(MB) last_error
pan_aperture enabled 7 days 12/31/1969 18:00:00 12/31/2037 22:00:00 0 100.0 37.2

pan_endpoint enabled 7 days 12/31/1969 18:00:00 12/31/2037 22:00:00 0 100.0 37.2

pan_firewall enabled 7 days 12/31/1969 18:00:00 12/31/2037 22:00:00 0 100.0 6258.7

pan_wildfire_report enabled 31 days 12/31/1969 18:00:00 12/31/2037 22:00:00 0 100.0 217.8

0 Karma

raomu
Explorer

I checked Datamodel Acceleration Status :

pan_aperture enabled 7 days 12/31/1969 18:00:00 12/31/2037 22:00:00 0 100.0 37.2

pan_endpoint enabled 7 days 12/31/1969 18:00:00 12/31/2037 22:00:00 0 100.0 37.2

pan_firewall enabled 7 days 12/31/1969 18:00:00 12/31/2037 22:00:00 0 100.0 6258.7

pan_wildfire_report enabled 31 days 12/31/1969 18:00:00 12/31/2037 22:00:00 0 100.0 217.8

0 Karma

raomu
Explorer

Hello,

When you say :

See [pan_log] in props.conf of TA_Palo. -- I understand this you asking me to check props.conf of Palo Alto Add-on, Which is not correct, we don't have any props.conf on add-on side i.e. TA_Plao

Adding the same settings to your props.conf will be imported correctly --- I didn't understand this part.

Let me know if I understand you correctly : Are you asking me to copy the [pan_log] which Is available in Palo Alto App but in Palo Alto TA ( add-on) to Palo Alto add-on ?

Also, the good part, after we install the Palo Alto app and add-on on indexers side, we are able to populate the 4 soucretype automatically :

1) pan:log
2)pan:traffic
3)pan:system
4)pan:threat

But, I none of my dashboard in Palo Alto gives any result.

Please suggest.

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...