Morning everyone,
Been having a rough go trying to get some usable web usage reports out of splunk for my Palo Alto traffic. Specifically trying to do what i think is a semi simple thing. My test is going to a website like amazon and then navigating around on the site looking at different products (robotic vacuums in my case). Then i look at the traffic in splunk which reports back as giving me only say "2 Hits".
Palo reports the following:
I set my policy in palo to log at session start.
My search in splunk is this:
index="pan_firewall" log_subtype="url" chris.myers dest_zone="L3-Untrust" url="www.*" user!="*solarwinds*" user!="*service*" user!=unknown http_category!="work-related" http_category!="health-and-medicine" http_category!="government" http_category!="web-advertisements" url!="ad.*" url!="www.abuseipdb.com*" url!="www.userbenchmark.com*" url!="www.xboxab.com*" url!="www.microsoft.com*" url!="www.content.shi.com*" url!="www.shi.com*" url!="www.workday.com*" url!="www.patientfirst.visualstudio.com*" url!="www.malwarebytes.com*" url!="www.globalknowledge.com*" url!="www.jetbrains.com*" url!="www.dnnsoftware.com*" url!="www.juniper.net*" url!="www.intel.com*" url!="www.cpug.org*" url!="www.vmware.com*" url!="www.csirt.org*" url!="ads.*" url!="www.vwc.state.va.us*" url!="www.atlantichealth.org*" url!="www.uhcprovider.com*" url!="www.checkpoint.com*" url!=*rumiview.com* url!="*bing.com*" url!="www.facebook.com/plugins/*" url!="www.codechef.com*" url!="www.splunk.com*" url!="www.aetna.com*" url!="www.radmd.com*" url!="www.humanamilitary.com*" url!="www.myamerigroup.com*" url!="www.providerportal.com*" url!="www.vcuhealth.org*" url!="www.workcomp.virginia.gov*" url!="www.cisco.com*" url!="www.va.gov*" url!="www.wcc.state.md.us*" url!=www.kraken.com* url!="www.medicaid.gov*" url!="www.scc.virginia.gov*" url!="www.dli.pa.gov*" url!="www.maryland.gov*" url!="www.hscrc.state.md.us*" url!="www.msftncsi.com*" url!="*.msftconnecttest.com*" url!="*.msftconnect.com*" url!="*.manageengine.com*" url!="*.ibm.com*" url!="*.paloaltonetworks.com*" url!="www.nowinstock.net*" url!="*.centurylink.com*" url!="*.static-cisco.com*" url!="*.arin.net*" url!="www.facebook.com/connect/*" url!="www.facebook.com/third_party/urlgen_redirector/*" url!="*windstreamonline.com*" url!=*google* dest_hostname!=*fe2.update.microsoft.com dest_hostname!=crl.microsoft.com url!=*windowsupdate* url!="www.telecommandsvc*" url!="www.redditstatic*" url!="www.redditmedia*" url!="www.gravatar.*" dest_hostname!=*icloud.com dest_hostname!=*gstatic.com url!=*.js url!=*.jpg url!=*.png url!=*.gif url!=*.svg url!=*.jpeg url!=*.css | where isnull(referrer) | top limit=25 dest_hostname | rename dest_hostname as URL | table URL, count
And my result is this:
What am i missing, or what am i not understanding. I would expect for every page i visit for every vacuum i look at to be 1 hit. But my understanding has to be wrong as 1, i went and viewed over 15 individual vacuums, so different product urls. Palo doesn't even seem log it. I am expecting to see something like this listed,
I also looked at our Palo Alto application that is installed in splunk, but it is just throwing a java script error and providing no data output so i have to visit that later. So not even trying to pull that into the conversation unless someone were to say, that is how i should be looking at it and my search queries are the problem.
I know someone has experience with this and welcome any and all input. I am banging my head against the wall and open to anything.
