I am having trouble with the app Splunk for Palo Alto Networks.
I have a brand new install of splunk 6.2.0 splunk build 237341 with only the
one App installed - Splunk for Palo Alto Networks version 4.1.3
The Pan is a PA-7050 running version 6.1.0
I did follow the instructions to install the app and included the required line in inputs.conf.
no_appending_timestamp = true
On the Pan side i'm sending config and system syslogs to splunk, at this point I do get some data.
So the server is receiving data. I now add some policies on the Pan to log forward.
When I do the commit command on the Pan, I get on Splunk a brief spike on the Event Types graph.
But then I get no new data being charted. Just the few entries on the graph for general.
All other graphs on the Overview screen are also reporting 0.
When I do a search index=pan*, I only get events from sourcetype = pan_system and pan_config
No data from log_forwarding data from policies.
Does anyone else have this problem of logs not being seen in Splunk using this App?
Hello,
First, you should know that the Splunk app for Palo Alto Networks doesn't yet support PAN-OS 6.1 threat logs. The logs will be indexed and when they are supported even old logs will look right, but some of the fields may be a little off right now. Traffic, config, and system logs work fine.
Now regarding your question, it's good that you're getting system and config logs. The other log type require a log forwarding profile to be attached to a rule in your security policy. Make sure that there is traffic through the firewall that matches a rule in your security policy with a log forwarding profile attached. Once that's done, if you enable logging for the start or end of a session in that rule then you'll get traffic logs in Splunk, and if you add a security profile (like Vulnerability Protection or URL Filtering) to the rule then you'll get threat logs in Splunk.