All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why are Palo Alto logs not showing in Splunk Cloud?

defikes
Explorer
‎12-01-2020 12:15 PM

Hello,

We have a Splunk Cloud that is replacing our On-prem. We currently have firewall logs going to a Syslog server that is then being sent to Splunk Cloud. We have installed the App/Add-on on the search head and it is mostly being used for CIM as the rsyslog is doing most of the work. We have an issue where we are not seeing any new data in our Splunk Cloud. I have checked the rsyslog.conf and everything appears right as far as what file path it is monitoring and what IP's it is getting it from. I have checked and confirmed all new logs are still going to the syslog server and data is is still going to our on-prem server. 

It would appear to be some disconnect between the Syslog server and our splunk cloud, but not 100% what else to check at this moment

Labels (1)
Labels
Tags (2)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎12-01-2020 12:21 PM

You must have something that connects rsyslog to Splunk Cloud.  Usually, that's a Universal Forwarder, but it could be a heavy forwarder.  Verify that the forwarder is running.  Check the log for errors that may indicate why data is not flowing.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

defikes
Explorer
‎12-01-2020 01:36 PM

Thank you for the reply. I checked and all seems to be well with this. However, looking through the logs again I did see an error where it is Enqueing a very large log file (the one it is sending to the cloud) and has a large number of bytes to read, so that appears to be causing some issues as I think it may be getting backed up and not sending. 

 

I checked and we have 2 parallel ingestion pipelines and our max throughput is 0. 

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...