The way syslog is setup is the firewall is forward to the management platform and this will forward the syslog into splunk. So we are getting the logs from management platform in Splunk in our default indexer which "AAA" and default source type "BBB" .
We have also installed Palo Alto add-on to indexers (in cloud) and also deployed palo Alto app on search head .
we have created a props.conf and transforms.conf which is segrating the Palo Alto data from default soucertype "AAA" to "pan:logs" . So now we have palo alto data coming in to our default indexer "AAA" and soucertype "pan:logs" .
Now, I have seen in some of the articles where it mention that in case of palo alto the index is suppose to be "pan_log" and soucretype is "pan_log" . is this something what I need to do in order to see data to be populated in Palo Alto app in spunk ?
please suggest..
give me stats with 6 nodes
I believe its not pulling all the nodename, What I get is :
log
log.file
log.system
log.traffic
log.traffic.end
log.traffic.start
but there are some which I know I am missing. For example nodename="log.correlation" like this there might others also, which I am not sure.
Please check subtype setting.
| tstats summariesonly=t count from datamodel="pan_firewall" GROUPBY nodename log.log_subtype
nodename log.log_subtype
log deny
log drop
log end
log file
log general
log start
log url-filtering
log.file file
log.system general
log.system url-filtering
log.traffic deny
log.traffic drop
I think there is no problem. Is not it just that the data of the dashboard I want to see does not exist?
Please check troubleshooting and check again.
https://splunk.paloaltonetworks.com/troubleshoot.html
Thanks for all your help. I had already gone though that link, didn’t help much. I have a case open with Splunk tomorrow let’s see if they have to say anything on this. I will keep you posted the results. Thanks
do we need to any configuration on add-on Side on search head ? I see there is a configuration tab.
Hi,
I removed some settings which I made it earlier under our custom app for props.conf and transforms.conf for pan:log and pan:traffic. After I removed those settings, I am not able to get any logs in any source type. Could you please suggest, If I need to make those changes and this is how this app designed to work ?
we have custom app : AAA where we push props.conf and trasforms.conf
[dnb_PaloAlto_sourcetype_setting]
REGEX = ^\w+\s+\d+\s+\d+:\d+:\d+\s+(\w\w-\w+-panorama)
FORMAT = sourcetype::pan:log
DEST_KEY = MetaData:Sourcetype
[pan_traffic]
DEST_KEY = MetaData:Sourcetype
REGEX = ^[^,]+,[^,]+,[^,]+,TRAFFIC,
FORMAT = sourcetype::pan:traffic
TRANSFORMS-sub_sourcetype_PaloAlto = pan_traffic
[pan_traffic]
rename = pan:traffic
[pan:traffic]
REPORT-search = extract_traffic
FIELDALIAS-app = app as application
FIELDALIAS-vsys = virtual_system as vsys
# Field Aliases to map specific fields to the Splunk Common Information Model - Network Traffic
EVAL-vendor_action = action
LOOKUP-vendor_action = pan_vendor_action_lookup vendor_action OUTPUT action
# bytes, bytes_in, bytes_out
FIELDALIAS-dest_for_pan_traffic = dest_ip as dest
FIELDALIAS-dvc_for_pan_traffic = host as dvc
FIELDALIAS-protocol_for_pan_traffic = protocol as vendor_protocol
FIELDALIAS-transport = protocol as transport
FIELDALIAS-src_for_pan_traffic = src_ip as src
FIELDALIAS-dest_category = category as dest_category
# Set user field
EVAL-user = coalesce(src_user,dest_user,"unknown")
# Determine client and server ip address based on direction of flow
# There is no direction field in traffic logs, so assume source is client
EVAL-server_ip = dest_ip
EVAL-client_ip = src_ip
# Determine client and server geo location based on direction of flow
# There is no direction field in traffic logs, so assume source is client
EVAL-server_location = dest_location
EVAL-client_location = src_location
LOOKUP-vendor_info_for_pan_config = pan_vendor_info_lookup sourcetype OUTPUT vendor,product,vendor_product
LOOKUP-pan_app = app_lookup app
# IP Classification based on ip_classification lookup table
# This lookup table can be modified by user to mark IP ranges,as serving specific purposes (eg. DMZ_Servers)
LOOKUP-src_class = classification_lookup cidr as src_ip OUTPUT classification as src_class
LOOKUP-dest_class = classification_lookup cidr as dest_ip OUTPUT classification as dest_class
LOOKUP-app_saas_class = sanctioned_saas_lookup app OUTPUT sanctioned_saas as app:is_sanctioned_saas
Palo App needs to receive the source type with pan_log. Does pan_log setting exist?
pan_log is define under props.conf anf transforms of Palo Alto App which is installed on all indexers and search Head as you suggested.
All the devices logs comes to Network folder. In Network folder we have Palo Alto device logs as well.
under Inputs.conf
by default logs to network index and network source type
What I tried now is :
under input.conf added another stanza below :
[monitor:///path_of_log_file/*.log]
sourcetype = pan:log
but even this doesn't get anything in pan:log soucetype
If there is a log, it is obtained by pan: log. For the correct log, the source type is changed from pan: log to pan: XXX.
Can not really find the logs?
index=XX sourcetype = pan*
I can see logs coming to correct sourctype, although I see only 3 out 4 soucetype.
Pan:log is not populating
Also, When I try to run this :
| tstats summariesonly=t count from datamodel="pan_firewall" GROUPBY nodename log.log_subtype
I get error msg "Error in 'TsidxStats': Could not find datamodel: pan_firewall"
Do I need rebuild data model ?
Pan:log is changed to other source type. It is OK not to be searched.
Please rebuild the data model.
To rebuild data model, I need to click on settings->data model-> look for Plato Alto -> click Rebuild option ? That's all correct ?
Yes, it is.
If the aggregation period is displayed, it is below.
Summary Range
604800 second(s)->7Days
Thanks For all your help. Although Its not completely fixed, I am still working on some of the dashboard, but we are very close. Thanks for all your guidance.
Yes, as stated in a previous answer, you really need these logs to be ingested as pan:log
first. You're going to run into complications if you try to rewrite the sourcetype with a transform (as the PA TA does this as well).
log.traffic end
log.traffic start
log.traffic.end end
log.traffic.start start
log.file file
log.system general
log.system url-filtering
log.traffic deny
log.traffic drop
log.traffic end
log.traffic start
log.traffic.end end
log.traffic.start start