All Apps and Add-ons

Splunk for Palo Alto Networks: Why is PAN policy data not being logged?

sinanian
New Member

I am having trouble with the app Splunk for Palo Alto Networks.

I have a brand new install of splunk 6.2.0 splunk build 237341 with only the
one App installed - Splunk for Palo Alto Networks version 4.1.3

The Pan is a PA-7050 running version 6.1.0

I did follow the instructions to install the app and included the required line in inputs.conf.
no_appending_timestamp = true

On the Pan side i'm sending config and system syslogs to splunk, at this point I do get some data.
So the server is receiving data. I now add some policies on the Pan to log forward.

When I do the commit command on the Pan, I get on Splunk a brief spike on the Event Types graph.

But then I get no new data being charted. Just the few entries on the graph for general.
All other graphs on the Overview screen are also reporting 0.

When I do a search index=pan*, I only get events from sourcetype = pan_system and pan_config

No data from log_forwarding data from policies.

Does anyone else have this problem of logs not being seen in Splunk using this App?

0 Karma

btorresgil
Builder

Hello,

First, you should know that the Splunk app for Palo Alto Networks doesn't yet support PAN-OS 6.1 threat logs. The logs will be indexed and when they are supported even old logs will look right, but some of the fields may be a little off right now. Traffic, config, and system logs work fine.

Now regarding your question, it's good that you're getting system and config logs. The other log type require a log forwarding profile to be attached to a rule in your security policy. Make sure that there is traffic through the firewall that matches a rule in your security policy with a log forwarding profile attached. Once that's done, if you enable logging for the start or end of a session in that rule then you'll get traffic logs in Splunk, and if you add a security profile (like Vulnerability Protection or URL Filtering) to the rule then you'll get threat logs in Splunk.

0 Karma
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...