All Apps and Add-ons

Palo Alto app not parsing the sourcetype

ccsfdave
Builder

I can see the Palo Alto data coming into the Heavy Forwarder, into the /var/log/syslog/ngf01 (and ngf02). On the Search Head I see how the sourcetype should be extracted in: /opt/splunk/etc/apps/Splunk_TA_paloalto/default/transforms.conf but nothing is extracted and thus none of the Palo Alto data is extracted, it just comes in raw into the index = pan_logs but all the data goes to the sourcetype=pan and thus extractions of fields downstream of that do not work

I would expect minimum sourcetypes of pan_threat, pan_traffic, pan_system, pan_config

0 Karma

ccsfdave
Builder

@jibin1988 Hit me up on Slack or post your specific question, I may be able to help. This Answers is approaching 4y old so I am sure what issues I had are behind me.

0 Karma

jibin1988
Path Finder

@ccsfdave please let me know your slack id. request you to ping on slack j.sebastian@obrela.com

0 Karma

ccsfdave
Builder

Hmm, unless I am looking at the wrong inputs.conf (/opt/splunk/etc/apps/SplunkforPaloAltoNetworks/local/inputs.conf) below is what I have in there on my heavy forwarder:

[udp://514]
sourcetype = pan:log
no_appending_timestamp = true
0 Karma

ccsfdave
Builder

shoot, in

/opt/splunk/etc/apps/sf_syslog_inputs/local/inputs.conf

I had:
[monitor:///var/log/syslog/ngf0*/*.log]
index = pan_logs
sourcetype = pan
no_appending_timestamp = true
host_segment = 4

Which I have now changed to pan_logs and bounced the Fwdr. Let's see what happens

0 Karma

jibin1988
Path Finder

@ccsfdave You got it fixed? I have the same issue. palo alto logs are not getting parsed with TA.
can you please update if you got it fixed?

0 Karma

ccsfdave
Builder

Ya, I have the TA installed as per the installation instructions. I tried to follow them to a T but have been known to be spacey

0 Karma

maciep
Champion

I just took a quick peek at the TA, and it looks like it expects the initial sourcetype to be pan_log (or pan:log). Are you setting yours to just pan in your inputs? That might explain why it's not getting processed correctly

[pan_log]
rename = pan:log
pulldown_type = false
# This first line adjusts PAN-OS 6.1.0 threat logs to revised 6.1.1+ format where the reportid field is at the end.
SEDCMD-6_1_0 = s/^((?:[^,]+,){3}THREAT,(?:[^,]*,){27}".*",[^,]*,)(\d+),((?:[^,]*,){3})(\d+,0x\d+,(?:[^,]*,){14})$/\1\3\4,\2/
TRANSFORMS-sourcetype = pan_threat, pan_traffic, pan_system, pan_config, pan_hipmatch, pan_endpoint
SHOULD_LINEMERGE = false
MAX_TIMESTAMP_LOOKAHEAD = 44

[pan:log]
category = Network & Security
description = Output produced by the Palo Alto Networks Next-generation Firewall and Traps Endpoint Security Manager
pulldown_type = true
# This first line adjusts PAN-OS 6.1.0 threat logs to revised 6.1.1+ format where the reportid field is at the end.
SEDCMD-6_1_0 = s/^((?:[^,]+,){3}THREAT,(?:[^,]*,){27}".*",[^,]*,)(\d+),((?:[^,]*,){3})(\d+,0x\d+,(?:[^,]*,){14})$/\1\3\4,\2/
SHOULD_LINEMERGE = false
MAX_TIMESTAMP_LOOKAHEAD = 44
TRANSFORMS-sourcetype = pan_threat, pan_traffic, pan_system, pan_config, pan_hipmatch, pan_endpoint
0 Karma

maciep
Champion

Do you have the Splunk_TA_paloalto add-on installed on the heavy forwarder as well? That's where the sourcetype parsing needs to happen in your scenario.

0 Karma