We are currently sending all of our Palo Alto syslogs to a syslog server that collects multiple machines syslogs and forwards them via a universal forwarder to our splunk instance.
We filtered out all logs tagged with the palo alto device name and set the sourcetype to pan_log
heres the piece of our inputs.conf broken out for the palo alto logs from our syslog server
The index=syslog is the generic index name we use for all syslogs rather than 'main' or 'default' etc.
we also made an update to the macros.conf on the application side via our search head and included the index name under :
definition = index=syslog sourcetype="panthreat" NOT "THREAT,url"
definition = index=syslog sourcetype="pantraffic"
definition = index=syslog sourcetype="pansystem"
definition = index=syslog sourcetype="panconfig"
definition = index=syslog sourcetype="pan_threat" "THREAT,url"
Oddly enough under this dir
Now as it stands I am able to see under splunk deployment monitor a panlog sourcetype that is receiving traffic but I am unable to view any data under the palo alto app or by doing an independent search such as sourcetype="panlog" or 'pan_threat' etc.
Any help would be greatly appreciated.
A follow up:
Well it appears that all the data coming in under 'panlog' I can now manually search against, if i specify index=
transforms.conf and props.conf appear to be fine, I dont have an inputs conf under the dafault folder however and my local folder inputs.conf is empty.. does anyone have a good example of a proper inputs.conf for this app?
You shouldn't be editing anything in the default folder. Anything you want to modify should be in the local folder. I believe stanza/section's in local supersede anything in default. Here is what my inputs.conf in /opt/splunk/etc/apps/SplunkforPaloAltoNetworks/local
connectionhost = ip
sourcetype = panlog
index = panlogs
noappending_timestamp = true
Thanks, yes so far I haven't edited or created any inputs.conf under the app directory, be it default or local, just on our forwarder on the syslog server. All the data is being captured though as it's specified on the inputs.conf on the syslog server that is forwarding the syslogs of a multitude of systems the pa just being another one of those, it just happens that the data isnt transforming. -comment continued . .
It is being tagged as the correct sourcetpye by the inputs.conf on the syslog server before it comes over, and it comes over in that stream with the index="syslog"
I guess what my question should be is, 1) does it need to be taged as index="panlogs" for transforms to function, or 2) can I just point the app to look in the "syslog" index where all the data is and pull out it's sourcetpype for 'panlog' to get transforms to start happening?
ah ya know i think you just called it.. checking my indexers none of the transforms.conf's under etc/system/local have anything for ## INDEX-TIME TRANSFORMS (like 1 stanza for another app) So since it needs to process the transforms at index time (forgive me im a noob) can I just insert the transforms from the conf file thats in my app directory on the search head into the #index-time transforms segment on the local transforms file on all my indexers (along with the appropriate props updates as well)? Talk about feeling dumb I've been looking at the search head this whole time.
also just a side note, really the only place I see the palo alto transforms data is under the app directory itself under default on the search head, no where else do I see it's transform data.
The app's main dashboard page has inline searches. Those searches use index=pan_logs. Other views have searches built on the macros. You have already modified those macros. But adding the index=syslog was not neccessary for those views.
Lastly, it is a good practice to keep different log types separated by indexes. I would not recommend sending all syslog type logs into one index.