Archive
Highlighted

Palo Alto App cannot see data but logs are seen as PAN:*

New Member

I have installed the Palo Alto App and add-on and i have also pointed a firewall to Splunk.

I can see traffic, threat logs ETC under search but cannot see anything in the App.

sourcetype is being seen correctly such as:
sourcetype=pan:traffic
sourcetype=pan:threat

What am i doing wrong or not doing!

0 Karma
Highlighted

Re: Palo Alto App cannot see data but logs are seen as PAN:*

Builder

Hello,

Usually this is caused by one of these problems:

  1. Time or timezone issue. The dashboards show the last 60 minutes, so if the time of the logs is prior to that, nothing will show up in the dashboards.
  2. Datamodels Acceleration is disabled. Please check that all the Palo Alto Networks datamodels have acceleration enabled. Splunk makes us disable them by default. We recommend 7 days as a starting timeframe for datamodel acceleration.

Here's our troubleshooting guide for dashboards. It should guide you through checking these issues and correcting them:
https://splunk.paloaltonetworks.com/troubleshoot.html#dashboards-not-working

Highlighted

Re: Palo Alto App cannot see data but logs are seen as PAN:*

Path Finder

The Palo Alto add-on and app also assume the index is in your default index list for search. If you're not using main or if the index is not in your default index list, you'll need to copy and modify all event types in both apps in addition to enabling data model acceleration, e.g.:

SplunkforPaloAltoNetworks/local/eventtypes.conf:

[panwildfirereport]
search = index=yourindex (sourcetype=panwildfirereport OR sourcetype=pan:wildfirereport)

SplunkTApaloalto/local/eventtypes.conf:

[pan]
search = index=yourindex (sourcetype=pan* OR sourcetype=pan:*)

Replace "your_index" with your actual index. These are just examples. There are more event types in both apps.

0 Karma
Highlighted

Re: Palo Alto App cannot see data but logs are seen as PAN:*

Motivator

I don't believe you need to change eventtypes. Palo Alto dashboards query their datamodels (panfirewall, panaperture, etc) in most of the cases I've seen with summariesonly=t. This means it will return results from the accelerated data. Data models accelerations are done by splunk-system-user and not by the user it self, so the user's index list searched by default won't be a problem here.

------------
Hope I was able to help you. If so, an upvote would be appreciated.
0 Karma
Highlighted

Re: Palo Alto App cannot see data but logs are seen as PAN:*

Path Finder

You raise a good point about data models. I've purposefully modified the event types to 1) constrain the data models to a specific index and 2) allow users with varying default indexes to search by event type independent of the data model.

0 Karma
Highlighted

Re: Palo Alto App cannot see data but logs are seen as PAN:*

Motivator

Hi elliotbeken,

As a best practice you should not be sending syslog data directly to splunk. Yes its possible to use splunk to receive TCP/UDP but its not recommended for production use. You'll end up losing data in case you restart that splunk instance. You should whenever possible use a syslog server to received the data. Then to index it you either use a forwarder or a syslog agent that is capable to output to Splunk's http event collector (HEC).

Regarding you issue with PAN App, validate that your datamodels have acceleration enabled and are able to access data. You can validate the first by going into settings >> datamodels and look for the yellow lightning next to each Palo Alto datamodel and you can test the second bit by using the pivot option and check if there are results showing up there.

------------
Hope I was able to help you. If so, an upvote would be appreciated.
0 Karma
Highlighted

Re: Palo Alto App cannot see data but logs are seen as PAN:*

New Member

Hi,

Thanks for the feedback.

I know its best to use a SySLog server rather then sending directly. This is a test setup for 1 firewall.

I have enabled data acceleration and there still seems to be nothing in the app!

This is my eventtypes.conf:

[pan]
search = sourcetype=pan_
OR sourcetype=pan:*
[pan_firewall]
search = sourcetype=pan:traffic OR sourcetype=pan:threat OR sourcetype=pan:config OR sourcetype=pan:system OR sourcetyp$

tags = network

[panconfig]
search = sourcetype=pan
config OR sourcetype=pan:config

tags = change

[pantraffic]
search = sourcetype=pan
traffic OR sourcetype=pan:traffic

tags = network communicate

[pantrafficstart]
search = sourcetype=pantraffic OR sourcetype=pan:traffic AND logsubtype="start"

tags = network session start

[pantrafficend]
search = sourcetype=pantraffic OR sourcetype=pan:traffic AND logsubtype="end"

tags = network session end

[pansystem]
search = sourcetype=pan
system OR sourcetype=pan:system

tags = update status

[panthreat]
search = sourcetype=pan
threat OR sourcetype=pan:threat AND logsubtype != "url" logsubtype != "file" log_subtype != "$

tags = ids attack

[panfile]
search = sourcetype=pan
threat OR sourcetype=pan:threat AND log_subtype = "file"

tags = web

[panurl]
search = sourcetype=pan
threat OR sourcetype=pan:threat AND log_subtype = "url"

tags = web

[pandata]
search = sourcetype=pan
threat OR sourcetype=pan:threat AND log_subtype = "data"

tags = web*

0 Karma