All Apps and Add-ons

Palo Alto Networks App for Splunk: Nothing appears in the app, how can I configure the app correctly for Splunk 6.5.0?

jchamb
Explorer

So I'm trying to configure this on a relatively new Splunk install. I have the firewalls sending over some traffic and threat logs. If I search eventtype=pan:log I get results so my logs are hitting Splunk. However in the PAN app nothing is appearing. It seems like it is not properly changing it to pan_threat, etc.

I'm relatively new to Splunk but it feels like this just isn't being indexed correctly. What do I need to do to make sure this gets parsed correctly?

Configuration on 6.5.0; App version 5.2

0 Karma

aaraneta_splunk
Splunk Employee
Splunk Employee

Hi @jchamb - Did one of the answers below help provide a solution to your question? If yes, please don't forget to click "Accept" below the best answer and up-vote any answer that was helpful. If no, please provide some more feedback by leaving a comment. Thanks!

0 Karma

goodsellt
Contributor

Do you have both the Addon and App installed on the Search Head you're using? Also do you pass the logs through a Heavy Forwarder? I use the app successfully currently and our setup is:

Search Heads - Addon & App

Indexers: Addon

Heavy Forwarder: Addon

The configurations that Splunk uses to modify the logs are in the addon's and they need to be in place at both the Search Head level (so it knows what the different PAN objects are) and the point of entry (either HF or Indexer) so it knows what metadata to alter at index time.

0 Karma

goodsellt
Contributor

Also if it was working for you prior to 6.5, there may have been a change internally which threw off the macros and items the app is using. I noticed there is a new version of the App/Addon posted to the github for this app and it should be on Splunkbase pretty soon I'd think.

Also make sure that your version of PAN OS is compatible with with the Addon version you're using as sometime the formatting is changed by PA.

0 Karma

splk
Communicator

Please check if your Palo Alto is sending all Logs (threat, url, traffic, wildfire).
I notice a similar behavior, and the cause were some missing threat logs.

0 Karma

Dallastek
Explorer

IS your palo alto data model accelerated? If I recall correctly the app pulls data in from there
using the tstats command

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...