All Apps and Add-ons

Splunk_TA_paloalto not parsing the logs

jibin1988
Path Finder

Splunk_TA_paloalto is not parsing the logs :

inputs.conf :

[monitor:///data/splunkapp/syslog/MSSLCPRY01/paloalto_fw//.log]
sourcetype = pan:log
index = it
host_segment = 6
disabled = false

Is it mandatory to keep the index pan_log?

Palo alto logs are sending to syslog server/HF and TA installed on syslog/HF.

Can someone please help whats going wrong in this.

0 Karma

sumanssah
Communicator

Please try this

inputs.conf :

[monitor:///data/splunkapp/syslog/MSSLCPRY01/paloalto_fw/
 *.log        ]
sourcetype = pan:log
index = it
host_segment = 6
disabled = false

Yes can send Paloalto logs to any index, make sure you are sending logs to pan:log

https://splunk.paloaltonetworks.com/firewalls-panorama-and-traps.html

0 Karma

jibin1988
Path Finder

Hi @sumanssah ,

My inputs.conf is same as you mentioned and sourcetype is pan:log :
monitoring path is correct.

[monitor:///data/splunkapp/syslog/MSSLCPRY01/paloalto_fw//.log]
sourcetype = pan:log
index = it
host_segment = 6
disabled = false

0 Karma

jibin1988
Path Finder

Question is, I am searching for index=it sourcetype=pan* in search app.
will the parsing works for search app as well? OR we must use paloalto addon for searching?

0 Karma

harsmarvania57
Ultra Champion

Hi,

You can index data in any index.

Please install Splunk_TA_paloalto on Search Heads so that it will parse data properly.

0 Karma

jibin1988
Path Finder

@harsmarvania57 Thanks for the input. Its installed in Search Heads as well.

0 Karma

harsmarvania57
Ultra Champion

After data is indexed, what sourcetype you can see from searchhead for paloalto logs ?

0 Karma

jibin1988
Path Finder

i can see below sourcetypes:

pan:traffic
pan:threat
pan:system

0 Karma

harsmarvania57
Ultra Champion

That means HF is parsing data properly. Can you please check Splunk_TA_paloalto add-on permission on SH, it should be Global - Read to everyone

0 Karma

jibin1988
Path Finder

@harsmarvania57 Permission is Global. But issue here is there no src_ip, dst_ip etc. And in search app my log looks like below:

< 14 >Feb 18 07:54:52 FWRY95-IT-RDC46-F1-WA-A10-01 1,2020/02/18 07:54:52,012501002982,TRAFFIC,drop,2049,2020/02/18 07:54:52,192.168.99.50,10.21.64.18,0.0.0.0,0.0.0.0,interzone-default,,,not-applicable,vsys1,Outside,FWasGW-2001,ae1.2000,,LOG-FOR,2020/02/18

Its looks like the timestamp issue i think.

0 Karma
Get Updates on the Splunk Community!

Optimize Cloud Monitoring

  TECH TALKS Optimize Cloud Monitoring Tuesday, August 13, 2024  |  11:00AM–12:00PM PST   Register to ...

What's New in Splunk Cloud Platform 9.2.2403?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2403! Analysts can ...

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...