Running the latest PAN FW App and Add On Splunk 7.02
I followed troubleshooting steps to no avail. URLs are reported by a regular search. After a bit of investigation it looks like there's no event type "pan_url", which is used in the datamodel. So, you run a simple query such as
eventtype="pan_threat"
The query returns results, including URLs but eventtype="pan_url"
comes up empty.
Any idea?
eventtype="pan_threat"
should not contain 'url' logs in the results. Palo Alto Networks uses 'THREAT' type logs for urls (even if they aren't really threats), but the App/Add-on makes a distinction, so eventtype="pan_threat"
should be only actual threats (not URL's) and eventtype="pan_url"
should be only URL logs. URL logs are logs with ,THREAT,url,
near the beginning of the log. If you are certain you're getting url logs in the pan_threat search then it sounds like they aren't getting parsed correctly. This is a search time distinction made on the log_subtype
field. Can you tell us what you're getting in the log_subtype
field for the url logs?
thank you for clarification...
double checked. the query:
eventtype="pan_threat" definitely returns url field among others.
log_subtype is listed as "vulnerability"
and in one instance it was "spyware"
Returning a 'url' field is not the same as being a 'url' log. A url log MUST have the word 'url' in the log_subtype field. Since you're getting 'vulnerability' and 'spyware', these are vulnerability and spyware logs, not url logs.
My guess is you're not sending URL logs to Splunk from the firewall. You need to set this up on the firewall side using the URL Filtering feature.
What version of the App and Add-on do you have installed?
You can check if the eventtype exist by navigating to...
Settings > Event types
Do a search or "url".
Does "pan_url" show up?
Running Add-on ver. 6.0.2 and App ver.6.0.1
Event type searches for "url" and "pan_url" returned:
pan_threat sourcetype=pan_threat OR sourcetype=pan:threat AND log_subtype != "url" log_subtype != "file" log_subtype != "wildfire" log_subtype != "data"
pan_url sourcetype=pan_threat OR sourcetype=pan:threat AND log_subtype = "url"
Thanks