All Apps and Add-ons

Splunk for Palo Alto Networks: Why is PAN policy data not being logged?

sinanian
New Member

I am having trouble with the app Splunk for Palo Alto Networks.

I have a brand new install of splunk 6.2.0 splunk build 237341 with only the
one App installed - Splunk for Palo Alto Networks version 4.1.3

The Pan is a PA-7050 running version 6.1.0

I did follow the instructions to install the app and included the required line in inputs.conf.
no_appending_timestamp = true

On the Pan side i'm sending config and system syslogs to splunk, at this point I do get some data.
So the server is receiving data. I now add some policies on the Pan to log forward.

When I do the commit command on the Pan, I get on Splunk a brief spike on the Event Types graph.

But then I get no new data being charted. Just the few entries on the graph for general.
All other graphs on the Overview screen are also reporting 0.

When I do a search index=pan*, I only get events from sourcetype = pan_system and pan_config

No data from log_forwarding data from policies.

Does anyone else have this problem of logs not being seen in Splunk using this App?

0 Karma

btorresgil
Builder

Hello,

First, you should know that the Splunk app for Palo Alto Networks doesn't yet support PAN-OS 6.1 threat logs. The logs will be indexed and when they are supported even old logs will look right, but some of the fields may be a little off right now. Traffic, config, and system logs work fine.

Now regarding your question, it's good that you're getting system and config logs. The other log type require a log forwarding profile to be attached to a rule in your security policy. Make sure that there is traffic through the firewall that matches a rule in your security policy with a log forwarding profile attached. Once that's done, if you enable logging for the start or end of a session in that rule then you'll get traffic logs in Splunk, and if you add a security profile (like Vulnerability Protection or URL Filtering) to the rule then you'll get threat logs in Splunk.

0 Karma
Get Updates on the Splunk Community!

Technical Workshop Series: Splunk Data Management and SPL2 | Register here!

Hey, Splunk Community! Ready to take your data management skills to the next level? Join us for a 3-part ...

Spotting Financial Fraud in the Haystack: A Guide to Behavioral Analytics with Splunk

In today's digital financial ecosystem, security teams face an unprecedented challenge. The sheer volume of ...

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability As businesses scale ...