All Apps and Add-ons

Why are logs being sent by Palo Alto Networks App's syslog UDP not showing up in Splunk?


I can use TCPDUMP and see that logs are being sent to the correct port. I can use ngrep to see the data in the packets being received. They are in the right IETF format. I can see the events coming in via the Splunk metrics logs. But no logs are getting to Splunk.

I'm using the 6.0.2 add-on

index = firewall-logs
disabled = false
sourcetype = pan:log
connection_host = ip
no_appending_timestamp = true

Ultra Champion

What metrics log show the events coming in? Metrics on forwarder, or metrics on indexer? Or do you have a single instance setup?

Have you tried searching over 'all time' in case there is some issue with the timestamp/timezone recognition?

0 Karma

Splunk Employee
Splunk Employee

What is your indication that they aren't being ingested? Are you not seeing a dashboard populate? Are you running a search and not able to find the data?

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Updates (ESCU) - New Releases

In the last month, the Splunk Threat Research Team (STRT) has had 3 releases of new content via the Enterprise ...

Thought Leaders are Validating Your Hard Work and Training Rigor

As a Splunk enthusiast and member of the Splunk Community, you are one of thousands who recognize the value of ...

.conf23 Registration is Now Open!

Time to toss the .conf-etti 🎉 —  .conf23 registration is open!   Join us in Las Vegas July 17-20 for ...