All Apps and Add-ons
Highlighted

Using Palo Alto with syslog server funneling to splunk

Path Finder

Good afternoon,

We are currently sending all of our Palo Alto syslogs to a syslog server that collects multiple machines syslogs and forwards them via a universal forwarder to our splunk instance.

We filtered out all logs tagged with the palo alto device name and set the sourcetype to pan_log

heres the piece of our inputs.conf broken out for the palo alto logs from our syslog server
/prod/splunkforwarder/etc/apps/syslog/default/inputs.conf
[monitor:///prod/remotesyslog/logs/paloalto/]
blacklist=.gz$
disabled=false
sourcetype=panlog
host
segment=4
index=syslog

The index=syslog is the generic index name we use for all syslogs rather than 'main' or 'default' etc.

we also made an update to the macros.conf on the application side via our search head and included the index name under :
opt/splunk/etc/apps/SplunkforPaloAltoNetworks/default#

Base Macros

[panthreat]
definition = index=syslog sourcetype="pan
threat" NOT "THREAT,url"

[pantraffic]
definition = index=syslog sourcetype="pan
traffic"

[pansystem]
definition = index=syslog sourcetype="pan
system"

[panconfig]
definition = index=syslog sourcetype="pan
config"

[panwebactivity]
definition = index=syslog sourcetype="pan_threat" "THREAT,url"

Oddly enough under this dir
/opt/splunk/etc/apps/SplunkforPaloAltoNetworks/local#

the inputs.conf listed there is empty..? is this correct?

Now as it stands I am able to see under splunk deployment monitor a panlog sourcetype that is receiving traffic but I am unable to view any data under the palo alto app or by doing an independent search such as sourcetype="panlog" or 'pan_threat' etc.

Any help would be greatly appreciated.

0 Karma
Highlighted

Re: Using Palo Alto with syslog server funneling to splunk

Path Finder

I should have noted that our syslog server is load balancing out to 6 indexers.

0 Karma
Highlighted

Re: Using Palo Alto with syslog server funneling to splunk

Path Finder

A follow up:

Well it appears that all the data coming in under 'panlog' I can now manually search against, if i specify index= sourcetype=panlog my assumption is that its not properly transforming to say .. panthreat or pansystem etc.
transforms.conf and props.conf appear to be fine, I dont have an inputs conf under the dafault folder however and my local folder inputs.conf is empty.. does anyone have a good example of a proper inputs.conf for this app?

thanks

0 Karma
Highlighted

Re: Using Palo Alto with syslog server funneling to splunk

New Member

You shouldn't be editing anything in the default folder. Anything you want to modify should be in the local folder. I believe stanza/section's in local supersede anything in default. Here is what my inputs.conf in /opt/splunk/etc/apps/SplunkforPaloAltoNetworks/local

[udp://514]

connectionhost = ip

sourcetype = pan
log

index = panlogs

no
appending_timestamp = true

0 Karma
Highlighted

Re: Using Palo Alto with syslog server funneling to splunk

Path Finder

Thanks, yes so far I haven't edited or created any inputs.conf under the app directory, be it default or local, just on our forwarder on the syslog server. All the data is being captured though as it's specified on the inputs.conf on the syslog server that is forwarding the syslogs of a multitude of systems the pa just being another one of those, it just happens that the data isnt transforming. -comment continued . .

0 Karma
Highlighted

Re: Using Palo Alto with syslog server funneling to splunk

Path Finder

cont:
It is being tagged as the correct sourcetpye by the inputs.conf on the syslog server before it comes over, and it comes over in that stream with the index="syslog"

I guess what my question should be is, 1) does it need to be taged as index="panlogs" for transforms to function, or 2) can I just point the app to look in the "syslog" index where all the data is and pull out it's sourcetpype for 'panlog' to get transforms to start happening?

0 Karma
Highlighted

Re: Using Palo Alto with syslog server funneling to splunk

Splunk Employee
Splunk Employee
  1. No. But sourcetype must be set to panlog. 2. No. The props/transforms are happening pre-indexing. Given the architecture described, you should ignore any reference to opening a port on a Splunk instance via inputs.conf. You've already got a functioning input (although the hostsegment is of questionable value.) If the forwarder is a UF, and props/transforms from the PAN app are living happily on the Splunk Indexer(s) and the PAN app is installed on the Search Head, this should all flow well. I suspect missing props/transforms on the indexers, or inability to search the syslog index in app.
0 Karma
Highlighted

Re: Using Palo Alto with syslog server funneling to splunk

Path Finder

ah ya know i think you just called it.. checking my indexers none of the transforms.conf's under etc/system/local have anything for ## INDEX-TIME TRANSFORMS (like 1 stanza for another app) So since it needs to process the transforms at index time (forgive me im a noob) can I just insert the transforms from the conf file thats in my app directory on the search head into the #index-time transforms segment on the local transforms file on all my indexers (along with the appropriate props updates as well)? Talk about feeling dumb I've been looking at the search head this whole time.

0 Karma
Highlighted

Re: Using Palo Alto with syslog server funneling to splunk

Path Finder

also just a side note, really the only place I see the palo alto transforms data is under the app directory itself under default on the search head, no where else do I see it's transform data.

0 Karma
Highlighted

Re: Using Palo Alto with syslog server funneling to splunk

Communicator

The app's main dashboard page has inline searches. Those searches use index=pan_logs. Other views have searches built on the macros. You have already modified those macros. But adding the index=syslog was not neccessary for those views.

Lastly, it is a good practice to keep different log types separated by indexes. I would not recommend sending all syslog type logs into one index.