Running Splunk on RHEL x64 with the latest version of the Palo Alto app. On the over view screen I can see 1 pan reporting and events showing up nothing in the block-url and N/A on the top category everything else is blank. When i do a search for index I only get
"pan_logs" and the only source type is
My inputs.conf is as follows:
#no_appending_timestamp = true
If i do
no_appending_timestamp = true
nothing will show up on the overview paged everything is 0.
My macros.conf hasn't been changed
Any help would be nice.
It is normal to have the index be "panlogs" and the sourcetype "panlog". And based on the fact that on the Overview screen the "PAN Reporting" and "Events" counts are not zero, it sounds like you are receiving something from your firewall. But you should be able to search the data. A few things to check...
Click 'Search' in the menu bar, set the time range to "All time", and use one of the available macros, like...
Those are back-ticks surrounding the macro, not apostrophes. You should get at least one event to come up with this search.
I did like you said and did a search for
pan_traffic and nothing showed up. The version of the Palo Alto app that I am showing under Apps is 3.3.1. On the Pan I am using the default settings for the syslogs and I have it set to send everything to Splunk.
The app gets all logs as sourcetype=panlog, then parses them into their respective sourcetype like sourcetype=pantraffic. Try one of the macros like:
Do you see anything there? If not, then it might be having trouble parsing the logs. Check on the firewall that you're using default CSV format for syslogs so the app can parse them.
Also, it concerns me that the dashboard inspect button came up with "index=panlogs sourcetype="pantraffic"" because the latest versions use "tstats" instead. Are you sure you're on the latest version fo the app? (currently version 3.3.1).
Thank you that worked I can see the data in the search. Now when I go to look at the traffic logs it is giving me "no matching events found. inspect..."
the inspect file shows index=panlogs sourcetype="pantraffic"
I did a search for pantraffic, panthreat, pansystem, panconfig and nothing will show up.