All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk for Palo Alto Networks: Why is PAN policy data not being logged?

sinanian
New Member
‎11-06-2014 10:30 AM

I am having trouble with the app Splunk for Palo Alto Networks.

I have a brand new install of splunk 6.2.0 splunk build 237341 with only the
one App installed - Splunk for Palo Alto Networks version 4.1.3

The Pan is a PA-7050 running version 6.1.0

I did follow the instructions to install the app and included the required line in inputs.conf.
no_appending_timestamp = true

On the Pan side i'm sending config and system syslogs to splunk, at this point I do get some data.
So the server is receiving data. I now add some policies on the Pan to log forward.

When I do the commit command on the Pan, I get on Splunk a brief spike on the Event Types graph.

But then I get no new data being charted. Just the few entries on the graph for general.
All other graphs on the Overview screen are also reporting 0.

When I do a search index=pan*, I only get events from sourcetype = pan_system and pan_config

No data from log_forwarding data from policies.

Does anyone else have this problem of logs not being seen in Splunk using this App?

0 Karma
Reply

btorresgil
Builder
‎11-14-2014 09:53 AM

Hello,

First, you should know that the Splunk app for Palo Alto Networks doesn't yet support PAN-OS 6.1 threat logs. The logs will be indexed and when they are supported even old logs will look right, but some of the fields may be a little off right now. Traffic, config, and system logs work fine.

Now regarding your question, it's good that you're getting system and config logs. The other log type require a log forwarding profile to be attached to a rule in your security policy. Make sure that there is traffic through the firewall that matches a rule in your security policy with a log forwarding profile attached. Once that's done, if you enable logging for the start or end of a session in that rule then you'll get traffic logs in Splunk, and if you add a security profile (like Vulnerability Protection or URL Filtering) to the rule then you'll get threat logs in Splunk.

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...