Palo Alto Networks App for Splunk: Since logs are ...

mikesangray · ‎01-14-2016

Good to hear that the pan_logs index requirement is gone.

Please clarify - since the logs can go into any index I specify, how does the app know where to look? Is it just by eventtype?

btorresgil · ‎01-14-2016

Yes, the logs are retrieved by eventtype. Of course, the logs have to be in an index that is searchable by the user.

Incidentally, this allows you to hide certain events from some users by restricting their access to an index with sensitive events.

mikesangray · ‎01-21-2016

Does the sourcetype need to be pan_logs ?

btorresgil · ‎01-21-2016

In App versions before 5.0.0, the sourcetype in the inputs.conf has to be pan_log. App version 5.0.0 and higher, the sourcetype is changed to pan:log to conform with new Splunk standards, but pan_log still works fine. The props and transforms will parse any logs with sourcetype pan:log (or pan_log) into one of the more specific sourcetypes (pan:traffic, pan:threat, etc.). So when the logs are indexed they will have sourcetype of pan:traffic, pan:threat, etc, and not sourcetype pan:log.

mikesangray · ‎01-21-2016

Just to clarify - the index isn't specified as part of the config in any way, the app just uses the eventtype - correct?

btorresgil · ‎01-21-2016

Correct, the index is not specified anywhere in the app, starting with app version 5.0.0. Only the eventtype is used.

Palo Alto Networks App for Splunk: Since logs are no longer required to be stored in the pan_logs index, how does the app know where to look?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!