Palo Alto Networks App for Splunk: All Activity da...

ssylar · ‎11-17-2017

inputs.conf is configured/time is sync'd.
Realtime feed shows traffic, logs are indexed. There is no Overview dashboard.
Data model audit shows pan_firewall acceleration is enabled and build is 100%.
Firewall configuration and systems dashboards populate.
We are not using/including Aperture, Minemeld, Wildfire, or endpoint feeds.

Query inspections for SaaS look like:
This search has completed in 0.532 seconds, but did not match any events. The terms specified in the highlighted portion of the search: (the whole search criteria) over time range (one hour) did not return any results.
sanctioned_saas.csv is configured.

Query inspections for Web, Users, and File look like:
This search has completed and found 98 matching events in 5.879 seconds. However, the transforming commands in the highlighted portion of the following search: (the whole search criteria) over time range (one hour) did not return any results.

Im testing in the lab on the free version of Enterprise 6.6.3 on Linux and PA-200 v8.0.5 using standard syslog.
Installed 6.0 as an update to App 5.4.2/Add-on 3.8.2

thecodemonk · ‎01-23-2018

For me, with the web dashboard, I had to remove "content_type" from the list of fields in the primary query. After poking around the data model, it doesn't appear to be a field in there anymore (the model itself claims it's there, but searching the data in the data model shows no field by that name).

(Since I don't know if it's coming back, I just copied and commented out the original query, then pasted the modified version afterward)

thecodemonk · ‎01-24-2018

Yikes...the further I dig, the further it looks like something is really wrong in the data model vs what the dashboards are pulling.

Looking at the globalprotect dashboard, it's looking for log.system.globalprotect, which doesn't exist as a field in the data model (there's lots of other log.* items...but nothing even remotely similar to the field above).

dbray_sd · ‎01-17-2018

I've recently upgraded to Splunk 7.0.1 and palo-alto-networks-add-on-for-splunk_602 with palo-alto-networks-app-for-splunk_601. I have noticed that for the empty Dashboards within the app, if I crack them open and put:

index="pan_logs"

...in front of each query, then the data is populated. Or, easier, update the search macros to include the specific index and that works as well. However, without specifying the index, the data remains blank. I have even tried to revert back to palo-alto-networks-add-on-for-splunk_382 and palo-alto-networks-app-for-splunk_542, but the issue remains. Anybody else seeing this weirdness?

panguy · ‎11-28-2017

This is caused by a few new fields not being populated. These fields will get populated after updating the content packs.

Make sure you have your firewall/Panorama credentials configured and follow this guide on updating content packs.

https://splunk.paloaltonetworks.com/lookups.html#contentpack

ssylar · ‎11-30-2017

Ive verified the savedsearch configuration and the creds for the firewall a few times. app_list and threat_list remain empty files. Permissions are correct, and if I run the saved searches from the search bar in Splunk they return data. Will the TA saved searches log an error somewhere if they fail?

Also, the serial number and vsys name for the firewall never populates in the filtering bar of dashboards. Or users, or any of the other criteria such as web categories that would populate as drop-downs.

ssylar · ‎12-02-2017

In the event i ever get this working again, please restore the Traffic Overview dashboard. Its very useful for network operations

ssylar · ‎11-28-2017

Rolling back to App 5.4.2/Add-on 3.8.2.

connectiv · ‎11-22-2017

Same issue here. PANW app is installed and collecting data, logs are visible in searches and some parts of dashboards work;

Web Activity Dashboard: Methods over Time, Top Referrers, Top File Downloads work. Destinations, Categories, Applications & Content do not
User Behavior: Top numbers work (counts of URL activities etc) but graphs below do not
Firewall System Configuration works fine.

Data Model Audit shows over 1 million firewall logs ingested, and acceleration enabled for all datamodels.

Installed Splunk on Sunday night specifically to get access to the PANW app.
Looks like a compatibility issue maybe?

Splunk version 7.0.0
PANW App version 6.0.0

eooi · ‎12-06-2017

I'm also experiencing the same issues. The previous version of the app worked but since upgrading, not all dashboards will fully load data. Running on Splunk Enterprise 7.0.1 with Palo Alto App 6.0.1.

connectiv · ‎11-22-2017

Update: installed a fresh Splunk 6.64 and installed the PANW App & Add-on here.

Same issue - the User Behavior dashboard shows some numbers at the top, but not all widgets and the Web Activity shows very little apart from Methods over Time and Top Referrers

I can see the PANW App and Add-On where both updated just under two weeks ago to v6, possibly they need a bit more work

Splunk version 6.6.4
PANW App version 6.0.0

gharrison90 · ‎11-17-2017

Are you getting results when you search for threat or traffic logs in the last 15 minutes or is it only with realtime searches? We had an issue where the logs were off by exactly 1 year, so I didn't initially see the time discrepancy. Only realtime searches produced results. I had to change the pan:log timestamp from "Advanced" to "Current Time".

ssylar · ‎11-19-2017

Yes I do see threats in the Threat dashboard. There isnt a traffic dashboard like in the previous version (I miss it). I can run general traffic searches from the search bar. All logs are there.

Web activity dashboard returns results in in the "Methods Over Time" panel.

User behavior returns results in the three "Top" panels along with accurate event counts.

Palo Alto Networks App for Splunk: All Activity dashboards have no data

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!