- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- PaloAlto Threat and Traffic logs not being passed ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We are testing the log collection from our paloalto firewalls and seem to have come across a snag when trying to monitor the traffic and threat events. We have the PaloAlto addon and app installed and it is working fine as the config and system logs are being processed and added to the dashboard. The datamodel accelaration is on but there is still no data.
When using the search bar i have been looking for all logs coming in through port 514 as the logs are being send through udp. (source=udp:514) and i can see the system and config logs there too but no other types. I am starting to feel like the issue is with the palo side but i want to make sure that i am not missing something on the splunk side to. Ive gone through the log forwarding form the palo side several times and if its sending the system and config fine, why not the rest? KR
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Found the solution. I had created the forwarding profile for the traffic and threat logs and set the forwarding to the splunk server but i didnt attach it to the security policy i wanted to monitor so i was onyl getting the standard config and systems logs that monitor the fw itself, not the data that is getting passed through.
Here is the knowledge article i found that helped me resolve my issue if anyone has a similar problem in the future.
Tips & Tricks: Forward traffic logs to a syslog server - Knowledge Base - Palo Alto Networks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Found the solution. I had created the forwarding profile for the traffic and threat logs and set the forwarding to the splunk server but i didnt attach it to the security policy i wanted to monitor so i was onyl getting the standard config and systems logs that monitor the fw itself, not the data that is getting passed through.
Here is the knowledge article i found that helped me resolve my issue if anyone has a similar problem in the future.
Tips & Tricks: Forward traffic logs to a syslog server - Knowledge Base - Palo Alto Networks
Enter the Splunk Community Dashboard Challenge for Your Chance to Win!
.conf24 | Session Scheduler is Live!!
Introducing the Splunk Community Dashboard Challenge!
