All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Palo Alto App cannot see data but logs are seen as PAN:*

elliotbeken
New Member
‎09-03-2019 05:23 AM

I have installed the Palo Alto App and add-on and i have also pointed a firewall to Splunk.

I can see traffic, threat logs ETC under search but cannot see anything in the App.

sourcetype is being seen correctly such as:
sourcetype=pan:traffic
sourcetype=pan:threat

What am i doing wrong or not doing!

0 Karma
Reply

elliotbeken
New Member
‎09-06-2019 06:22 AM

Hi,

Thanks for the feedback.

I know its best to use a SySLog server rather then sending directly. This is a test setup for 1 firewall.

I have enabled data acceleration and there still seems to be nothing in the app!

This is my eventtypes.conf:

[pan]
search = sourcetype=pan_ OR sourcetype=pan:*
[pan_firewall]
search = sourcetype=pan:traffic OR sourcetype=pan:threat OR sourcetype=pan:config OR sourcetype=pan:system OR sourcetyp$

tags = network

[pan_config]
search = sourcetype=pan_config OR sourcetype=pan:config

tags = change

[pan_traffic]
search = sourcetype=pan_traffic OR sourcetype=pan:traffic

tags = network communicate

[pan_traffic_start]
search = sourcetype=pan_traffic OR sourcetype=pan:traffic AND log_subtype="start"

tags = network session start

[pan_traffic_end]
search = sourcetype=pan_traffic OR sourcetype=pan:traffic AND log_subtype="end"

tags = network session end

[pan_system]
search = sourcetype=pan_system OR sourcetype=pan:system

tags = update status

[pan_threat]
search = sourcetype=pan_threat OR sourcetype=pan:threat AND log_subtype != "url" log_subtype != "file" log_subtype != "$

tags = ids attack

[pan_file]
search = sourcetype=pan_threat OR sourcetype=pan:threat AND log_subtype = "file"

tags = web

[pan_url]
search = sourcetype=pan_threat OR sourcetype=pan:threat AND log_subtype = "url"

tags = web

[pan_data]
search = sourcetype=pan_threat OR sourcetype=pan:threat AND log_subtype = "data"

tags = web*

0 Karma
Reply

diogofgm
SplunkTrust
SplunkTrust
‎09-03-2019 09:47 AM

Hi elliotbeken,

As a best practice you should not be sending syslog data directly to splunk. Yes its possible to use splunk to receive TCP/UDP but its not recommended for production use. You'll end up losing data in case you restart that splunk instance. You should whenever possible use a syslog server to received the data. Then to index it you either use a forwarder or a syslog agent that is capable to output to Splunk's http event collector (HEC).

Regarding you issue with PAN App, validate that your datamodels have acceleration enabled and are able to access data. You can validate the first by going into settings >> datamodels and look for the yellow lightning next to each Palo Alto datamodel and you can test the second bit by using the pivot option and check if there are results showing up there.

------------
Hope I was able to help you. If so, some karma would be appreciated.
0 Karma
Reply

tscroggins
Influencer
‎09-03-2019 09:06 AM

The Palo Alto add-on and app also assume the index is in your default index list for search. If you're not using main or if the index is not in your default index list, you'll need to copy and modify all event types in both apps in addition to enabling data model acceleration, e.g.:

SplunkforPaloAltoNetworks/local/eventtypes.conf:

[pan_wildfire_report]
search = index=your_index (sourcetype=pan_wildfire_report OR sourcetype=pan:wildfire_report)

Splunk_TA_paloalto/local/eventtypes.conf:

[pan]
search = index=your_index (sourcetype=pan_* OR sourcetype=pan:*)

Replace "your_index" with your actual index. These are just examples. There are more event types in both apps.

0 Karma
Reply

diogofgm
SplunkTrust
SplunkTrust
‎09-03-2019 10:00 AM

I don't believe you need to change eventtypes. Palo Alto dashboards query their datamodels (pan_firewall, pan_aperture, etc) in most of the cases I've seen with summariesonly=t. This means it will return results from the accelerated data. Data models accelerations are done by splunk-system-user and not by the user it self, so the user's index list searched by default won't be a problem here.

------------
Hope I was able to help you. If so, some karma would be appreciated.
0 Karma
Reply

tscroggins
Influencer
‎09-03-2019 10:17 AM

You raise a good point about data models. I've purposefully modified the event types to 1) constrain the data models to a specific index and 2) allow users with varying default indexes to search by event type independent of the data model.

0 Karma
Reply

btorresgil
Builder
‎09-03-2019 08:48 AM

Hello,

Usually this is caused by one of these problems:

  1. Time or timezone issue. The dashboards show the last 60 minutes, so if the time of the logs is prior to that, nothing will show up in the dashboards.
  2. Datamodels Acceleration is disabled. Please check that all the Palo Alto Networks datamodels have acceleration enabled. Splunk makes us disable them by default. We recommend 7 days as a starting timeframe for datamodel acceleration.

Here's our troubleshooting guide for dashboards. It should guide you through checking these issues and correcting them:
https://splunk.paloaltonetworks.com/troubleshoot.html#dashboards-not-working

Reply
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...