All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why are logs being sent by Palo Alto Networks App's syslog UDP not showing up in Splunk?

qtopia7100
Explorer
‎10-24-2018 08:33 AM

I can use TCPDUMP and see that logs are being sent to the correct port. I can use ngrep to see the data in the packets being received. They are in the right IETF format. I can see the events coming in via the Splunk metrics logs. But no logs are getting to Splunk.

I'm using the 6.0.2 add-on

Inputs.conf 
[udp://12002]
index = firewall-logs
disabled = false
sourcetype = pan:log
connection_host = ip
no_appending_timestamp = true
Reply

FrankVl
Ultra Champion
‎10-26-2018 12:43 AM

What metrics log show the events coming in? Metrics on forwarder, or metrics on indexer? Or do you have a single instance setup?

Have you tried searching over 'all time' in case there is some issue with the timestamp/timezone recognition?

0 Karma
Reply

kmorris_splunk
Splunk Employee
Splunk Employee
‎10-25-2018 06:26 AM

What is your indication that they aren't being ingested? Are you not seeing a dashboard populate? Are you running a search and not able to find the data?

0 Karma
Reply
Get Updates on the Splunk Community!

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Unleash Unified Security and Observability with Splunk Cloud Platform

     Now Available on Microsoft AzureThursday, March 27, 2025  |  11AM PST / 2PM EST | Register NowStep boldly ...

Splunk AppDynamics with Cisco Secure Application

Web applications unfortunately present a target rich environment for security vulnerabilities and attacks. ...