- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Re: Splunk_TA_paloalto not parsing the logs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Splunk_TA_paloalto not parsing the logs
Splunk_TA_paloalto is not parsing the logs :
inputs.conf :
[monitor:///data/splunkapp/syslog/MSSLCPRY01/paloalto_fw//.log]
sourcetype = pan:log
index = it
host_segment = 6
disabled = false
Is it mandatory to keep the index pan_log?
Palo alto logs are sending to syslog server/HF and TA installed on syslog/HF.
Can someone please help whats going wrong in this.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Please try this
inputs.conf :
[monitor:///data/splunkapp/syslog/MSSLCPRY01/paloalto_fw/
*.log ]
sourcetype = pan:log
index = it
host_segment = 6
disabled = false
Yes can send Paloalto logs to any index, make sure you are sending logs to pan:log
https://splunk.paloaltonetworks.com/firewalls-panorama-and-traps.html
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @sumanssah ,
My inputs.conf is same as you mentioned and sourcetype is pan:log :
monitoring path is correct.
[monitor:///data/splunkapp/syslog/MSSLCPRY01/paloalto_fw//.log]
sourcetype = pan:log
index = it
host_segment = 6
disabled = false
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Question is, I am searching for index=it sourcetype=pan* in search app.
will the parsing works for search app as well? OR we must use paloalto addon for searching?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
You can index data in any index.
Please install Splunk_TA_paloalto on Search Heads so that it will parse data properly.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@harsmarvania57 Thanks for the input. Its installed in Search Heads as well.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
After data is indexed, what sourcetype you can see from searchhead for paloalto logs ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
i can see below sourcetypes:
pan:traffic
pan:threat
pan:system
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That means HF is parsing data properly. Can you please check Splunk_TA_paloalto add-on permission on SH, it should be Global - Read to everyone
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@harsmarvania57 Permission is Global. But issue here is there no src_ip, dst_ip etc. And in search app my log looks like below:
< 14 >Feb 18 07:54:52 FWRY95-IT-RDC46-F1-WA-A10-01 1,2020/02/18 07:54:52,012501002982,TRAFFIC,drop,2049,2020/02/18 07:54:52,192.168.99.50,10.21.64.18,0.0.0.0,0.0.0.0,interzone-default,,,not-applicable,vsys1,Outside,FWasGW-2001,ae1.2000,,LOG-FOR,2020/02/18
Its looks like the timestamp issue i think.
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
