All Apps and Add-ons

Palo Alto app not parsing the sourcetype

ccsfdave
Builder

I can see the Palo Alto data coming into the Heavy Forwarder, into the /var/log/syslog/ngf01 (and ngf02). On the Search Head I see how the sourcetype should be extracted in: /opt/splunk/etc/apps/Splunk_TA_paloalto/default/transforms.conf but nothing is extracted and thus none of the Palo Alto data is extracted, it just comes in raw into the index = pan_logs but all the data goes to the sourcetype=pan and thus extractions of fields downstream of that do not work

I would expect minimum sourcetypes of pan_threat, pan_traffic, pan_system, pan_config

0 Karma

ccsfdave
Builder

@jibin1988 Hit me up on Slack or post your specific question, I may be able to help. This Answers is approaching 4y old so I am sure what issues I had are behind me.

0 Karma

jibin1988
Path Finder

@ccsfdave please let me know your slack id. request you to ping on slack j.sebastian@obrela.com

0 Karma

ccsfdave
Builder

Hmm, unless I am looking at the wrong inputs.conf (/opt/splunk/etc/apps/SplunkforPaloAltoNetworks/local/inputs.conf) below is what I have in there on my heavy forwarder:

[udp://514]
sourcetype = pan:log
no_appending_timestamp = true
0 Karma

ccsfdave
Builder

shoot, in

/opt/splunk/etc/apps/sf_syslog_inputs/local/inputs.conf

I had:
[monitor:///var/log/syslog/ngf0*/*.log]
index = pan_logs
sourcetype = pan
no_appending_timestamp = true
host_segment = 4

Which I have now changed to pan_logs and bounced the Fwdr. Let's see what happens

0 Karma

jibin1988
Path Finder

@ccsfdave You got it fixed? I have the same issue. palo alto logs are not getting parsed with TA.
can you please update if you got it fixed?

0 Karma

ccsfdave
Builder

Ya, I have the TA installed as per the installation instructions. I tried to follow them to a T but have been known to be spacey

0 Karma

maciep
Champion

I just took a quick peek at the TA, and it looks like it expects the initial sourcetype to be pan_log (or pan:log). Are you setting yours to just pan in your inputs? That might explain why it's not getting processed correctly

[pan_log]
rename = pan:log
pulldown_type = false
# This first line adjusts PAN-OS 6.1.0 threat logs to revised 6.1.1+ format where the reportid field is at the end.
SEDCMD-6_1_0 = s/^((?:[^,]+,){3}THREAT,(?:[^,]*,){27}".*",[^,]*,)(\d+),((?:[^,]*,){3})(\d+,0x\d+,(?:[^,]*,){14})$/\1\3\4,\2/
TRANSFORMS-sourcetype = pan_threat, pan_traffic, pan_system, pan_config, pan_hipmatch, pan_endpoint
SHOULD_LINEMERGE = false
MAX_TIMESTAMP_LOOKAHEAD = 44

[pan:log]
category = Network & Security
description = Output produced by the Palo Alto Networks Next-generation Firewall and Traps Endpoint Security Manager
pulldown_type = true
# This first line adjusts PAN-OS 6.1.0 threat logs to revised 6.1.1+ format where the reportid field is at the end.
SEDCMD-6_1_0 = s/^((?:[^,]+,){3}THREAT,(?:[^,]*,){27}".*",[^,]*,)(\d+),((?:[^,]*,){3})(\d+,0x\d+,(?:[^,]*,){14})$/\1\3\4,\2/
SHOULD_LINEMERGE = false
MAX_TIMESTAMP_LOOKAHEAD = 44
TRANSFORMS-sourcetype = pan_threat, pan_traffic, pan_system, pan_config, pan_hipmatch, pan_endpoint
0 Karma

maciep
Champion

Do you have the Splunk_TA_paloalto add-on installed on the heavy forwarder as well? That's where the sourcetype parsing needs to happen in your scenario.

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...

Edge Processor Scaling, Energy & Manufacturing Use Cases, and More New Articles on ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Get More Out of Your Security Practice With a SIEM

Get More Out of Your Security Practice With a SIEMWednesday, July 31, 2024  |  11AM PT / 2PM ETREGISTER ...