Hello
Splunk is receiving data from Palo Alto Traps (via TCP in a dedicated index). Endpoint Operations dashboard is showing data.
Admins of Traps are expecting to see also data for wildfire, like
Jun 11 2019 14:26:23 172.16.71.122 CEF:0|Palo Alto Networks|Traps Agent|4.2.3.41131|Notification Event|Threat|6|rt=Jun 11 2019 14:26:23 dhost=*** duser=*** cs2Label=Module cs2=WildFire deviceProcessName=*** fileHash=*** cs3Label=ContentVersion cs3=*** dvc=*** cs5Label=EventTime cs5=Jun 11 2019 14:26:14 msg=New notification event. Prevention Key: ***
I checked the troubleshooting guide. Typically, I don't get any result for
eventtype=pan_wildfire
I checked some of the props/transform regex, and none seems to identify those lines as wildfire events. Seems then correct that nothing pops up in the dashboard.
What raw data should I expect to find in my index confirming that I get wildfire events.
Thanks in advance for your help
The pan_wildfire event type comes from Palo Alto Networks Firewall logs. Typically it is a THREAT log type with a subtype of wildfire. The wildfire dashboard will get populated when Firewall logs are being sent to Splunk.
The pan_wildfire event type comes from Palo Alto Networks Firewall logs. Typically it is a THREAT log type with a subtype of wildfire. The wildfire dashboard will get populated when Firewall logs are being sent to Splunk.
Thanks for your response.
That's explain it: we have only Traps, not the Palo Alto Firewall. Then no data for the dashboard using the pan_wildfire eventtype.
Sorry for the late response: i was out of office for a few days.
Thanks again.