Good afternoon,
We are currently sending all of our Palo Alto syslogs to a syslog server that collects multiple machines syslogs and forwards them via a universal forwarder to our splunk instance.
We filtered out all logs tagged with the palo alto device name and set the sourcetype to pan_log
heres the piece of our inputs.conf broken out for the palo alto logs from our syslog server
/prod/splunkforwarder/etc/apps/syslog/default/inputs.conf
[monitor:///prod/remotesyslog/logs/paloalto*/*]
blacklist=.gz$
disabled=false
sourcetype=pan_log
host_segment=4
index=syslog
The index=syslog is the generic index name we use for all syslogs rather than 'main' or 'default' etc.
we also made an update to the macros.conf on the application side via our search head and included the index name under :
opt/splunk/etc/apps/SplunkforPaloAltoNetworks/default#
[pan_threat]
definition = index=syslog sourcetype="pan_threat" NOT "THREAT,url"
[pan_traffic]
definition = index=syslog sourcetype="pan_traffic"
[pan_system]
definition = index=syslog sourcetype="pan_system"
[pan_config]
definition = index=syslog sourcetype="pan_config"
[pan_web_activity]
definition = index=syslog sourcetype="pan_threat" "THREAT,url"
Oddly enough under this dir
/opt/splunk/etc/apps/SplunkforPaloAltoNetworks/local#
Now as it stands I am able to see under splunk deployment monitor a pan_log sourcetype that is receiving traffic but I am unable to view any data under the palo alto app or by doing an independent search such as sourcetype="pan_log" or 'pan_threat' etc.
Any help would be greatly appreciated.
adding to the summary indexing discussion: please take a look at this post: http://splunk-base.splunk.com/answers/5837/summary-indexing-on-a-search-head . also, if you plan on using multiple indexers, i would discourage the use of summary indexes for now. admittedly, the summary indexing use is not the best in this app. the summaries are of a high dimensionality, which results in a low summarized to raw data ratio. ultimately, the summaries will become very large. i am working on a better strategy for this.
'pan_threat' host="pa*" : i was unable to recreate this issue. this search works ok on a newly installed splunk instance with a fresh install of the app.
the reason for : This - index="pan_logs" pan_threat | bin _time span=5m | fillnull vsys app category src_ip dst_ip severity RISK threat_id CATEGORY | stats count by vsys app threat_id severity category src_ip dst_ip log_subtype CATEGORY RISK _time works
because the pan_logs index is not in the default search path of the user running the search.
i appreciate your feedback. i have added several things to my to do list for the next version of the app. happy to talk to you in person about some of this.
(ran out of characters..)
Aside from updating transforms and props on all my indexers and breaking the PA logs off into their own index for best prac. sake, is there anything I'm missing here?
Thanks
Thanks, since that original post I've updated the app and it appears the macros edit for the index isn't there anymore, so I will continue on without it. We are planning to move them their own index at some point,we are really just trying to get a poc for mgmt at the moment,only taking system and cfg logs on one of our PA's.
None of the transforms are occurring though,the only data I am able to search against is all Pan_logs and not pan_sys* or pan_config etc.
After reading ekost's comment above I checked my indexers and none of the PA transform /props data is on my indexers at the moment.
also just a side note, really the only place I see the palo alto transforms data is under the app directory itself under default on the search head, no where else do I see it's transform data.
ah ya know i think you just called it.. checking my indexers none of the transforms.conf's under etc/system/local have anything for ## INDEX-TIME TRANSFORMS (like 1 stanza for another app) So since it needs to process the transforms at index time (forgive me im a noob) can I just insert the transforms from the conf file thats in my app directory on the search head into the #index-time transforms segment on the local transforms file on all my indexers (along with the appropriate props updates as well)? Talk about feeling dumb I've been looking at the search head this whole time.
cont:
It is being tagged as the correct sourcetpye by the inputs.conf on the syslog server before it comes over, and it comes over in that stream with the index="syslog"
I guess what my question should be is, 1) does it need to be taged as index="pan_logs" for transforms to function, or 2) can I just point the app to look in the "syslog" index where all the data is and pull out it's sourcetpype for 'pan_log' to get transforms to start happening?
Thanks, yes so far I haven't edited or created any inputs.conf under the app directory, be it default or local, just on our forwarder on the syslog server. All the data is being captured though as it's specified on the inputs.conf on the syslog server that is forwarding the syslogs of a multitude of systems the pa just being another one of those, it just happens that the data isnt transforming. -comment continued . .
You shouldn't be editing anything in the default folder. Anything you want to modify should be in the local folder. I believe stanza/section's in local supersede anything in default. Here is what my inputs.conf in /opt/splunk/etc/apps/SplunkforPaloAltoNetworks/local
[udp://514]
connection_host = ip
sourcetype = pan_log
index = pan_logs
no_appending_timestamp = true
A follow up:
Well it appears that all the data coming in under 'pan_log' I can now manually search against, if i specify index=
transforms.conf and props.conf appear to be fine, I dont have an inputs conf under the dafault folder however and my local folder inputs.conf is empty.. does anyone have a good example of a proper inputs.conf for this app?
thanks
I should have noted that our syslog server is load balancing out to 6 indexers.