Solved: Re: Palo Alto Networks App & Add-on Setup

cody_richardson · ‎12-11-2018

Hello all,

I am trying to get logs from Panorama into Splunk to analyze with the Palo Alto Networks App and Add-ons, and am hoping for some pointers in this process.

I am using one Search Head with Enterprise Security installed, and a separate server for the Indexer. Unfortunately all guides I've found assume both of these functions are present on the same server. The App is installed on the Search Head, and the Add-on is installed on the Indexer (per recommendation on this guide: https://splunk.paloaltonetworks.com/getting-data-in.html).

At this point I have two initial questions:

1) How can I ensure logs are sent to the Indexer and stored in the desired location?

2) Once logs are successfully sent to the Indexer, how will the App view data stored on the Indexer?

Thank you.

cody_richardson · ‎12-13-2018

Hi harsmarvania57,

After changing my search parameter to "All Time" under Presets, some of the other Dashboards have started showing data (though not all). I don't know why this is the case.

For right now, I'm content with this, despite the fact that I can't send logs directly from the Panorama. I will need to continue troubleshooting this to get logs to be accepted by the Indexers when not coming from our syslog server.

Thank you for all your help with this and providing the information that you did.

View solution in original post

cody_richardson · ‎12-13-2018

Hi harsmarvania57,

After changing my search parameter to "All Time" under Presets, some of the other Dashboards have started showing data (though not all). I don't know why this is the case.

For right now, I'm content with this, despite the fact that I can't send logs directly from the Panorama. I will need to continue troubleshooting this to get logs to be accepted by the Indexers when not coming from our syslog server.

Thank you for all your help with this and providing the information that you did.

harsmarvania57 · ‎12-12-2018

Hi,

If you will refer https://splunk.paloaltonetworks.com/installation.html, you will easily identify that where you need to install App and Add-on.

And to onboard the data from Palo Alto Panorama to Indexer, please follow this document https://splunk.paloaltonetworks.com/firewalls-panorama-and-traps.html. I prefer syslog path because there will be very less chance of data loss, if you will send Firewall logs directly to Indexer then there will be data loss when you'll restart splunk service on Indexer.

cody_richardson · ‎12-12-2018

Looking under Operations -> Realtime Event Feed, I am actually seeing new data being fed in. Just no other dashboard appears to be working. I did enable Datamodel Acceleration.

harsmarvania57 · ‎12-12-2018

Wait for few minutes, because DataModel acceleration takes time based on number of events you have and backfill period you selected.

cody_richardson · ‎12-12-2018

Still no luck unfortunately. Only the real-time dashboard is displaying data.

harsmarvania57 · ‎12-12-2018

Is Datamodel Acceleration completed 100% ? And logs are properly ingesting with correct sourcetype ?

cody_richardson · ‎12-13-2018

Hello harsmarvania57,

I've been unable to get traffic directly from Panorama to the Splunk Indexer. I've pointed the Panorama syslogs back to the syslog server, and the Indexer is now receiving traffic.

I am back to troubleshooting the fact that the Realtime Event Feed displays data, but no other Dashboard does. I've read through the recommendations at https://splunk.paloaltonetworks.com/troubleshoot.html, and verified the following:

-Datamodel is fully built. All Palo Alto datamodels are at 100%.
-Acceleration is enabled.

Any further ideas?

harsmarvania57 · ‎12-13-2018

If you are using version 6.0 Palo Alto add-on on Indexer/Heavy Forwarder then what sourcetype are you assigning on syslog server while reading log file , is it pan:log ?

Troubleshooting guide (https://splunk.paloaltonetworks.com/troubleshoot.html) they have provided is very good, if you go step by step then you will easily identify the issue.

cody_richardson · ‎12-13-2018

Yes, I've just confirmed this looking at the inputs.conf file.

I've also confirmed that Splunk is successfully parsing this data into the correct subtypes (e.g. pan:firewall) based on searches performed in the Search & Reporting app.

cody_richardson · ‎12-12-2018

Quick update:

As we've been discussing this, Panorama has been sending the syslog information to a syslog server, and that syslog server has a forwarder on it sending the traffic to the Splunk Indexer.

I've removed this configuration and created a new configuration forwarding logs directly from Panorama to the Splunk Indexer. After doing this, the Real-Time feed in the app is no longer displaying information, and I cannot search for new data in the Search & Reporting App. This tells me that there must be something wrong with the new configuration.

I'd like to correct this configuration before moving forward, as this is a fresh configuration that I'll be familiar with. I'm hopeful that once I can get data to be ingested properly with this configuration, data will be displayed on the remaining dashboards.

I will take some time to do this then provide an update here. Thank you for your help so far!

cody_richardson · ‎12-12-2018

Okay, thank you. I will wait a few more minutes to see if the dashboards generate results.

A related question -- on the Palo Alto Network Add-on on the Indexer under the Configuration tab...what account are they asking for?

cody_richardson · ‎12-12-2018

Hi harsmarvania57, thanks for the reply.

I was able to get traffic from Panorama into the Splunk Indexer (I see traffic using the Search & Reporting App), but the data still isn't appearing in the Palo Alto Networks App.

Any idea why?

harsmarvania57 · ‎12-12-2018

Palo Alto Networks app has many dashboards with many panels and while looking at those they depend on Datamodel, so first check whether Palo Alto Datamodel (I guess they provide 3 Datamodel) acceleration completed 100% ?

cody_richardson · ‎12-12-2018

Unfortunately I'm not able to get any of the Dashboards to display data -- Web Activity, User Behavior, etc. Again, despite being able to see the raw data in the Search & Reporting App.

harsmarvania57 · ‎12-12-2018

Goto Palo Alto Networks app then Settings -> Data Models

And check Status of below 3 Data Models (To check the status of Datamodel click on > left to Datamodel )

1.) Palo Alto Networks Aperture Logs
2.) Palo Alto Networks Endpoint Logs
3.) Palo Alto Networks Firewall Logs

Are these datamodel showing status 100% ? If yes then what is the Size on Disk ?

cody_richardson · ‎12-12-2018

Hi harsmarvania57,

I see various Palo Alto Networks Logs, but no indication of status. They seem to be built out though with various sourcetypes defined.

Size on disk is several TB with a small percentage being used. Diskspace should be no issue.

If the Search & Reporting app is able to find the logs from the Panorama, shouldn't the App be able to? Or is there a separate configuration page for the App for it to find the data?

harsmarvania57 · ‎12-12-2018

As per steps I have provided in my previous comment you need to check Datamodel acceleration on Search Head (In Palo Alto Networks App).

cody_richardson · ‎12-12-2018

They are not accelerated. What would enabling this within the context of the Palo Alto app do?

harsmarvania57 · ‎12-12-2018

Many dashboards are depend on Palo Alto Datamodel Accelerations, if you will not able it then many dashboards will not populate in Palo Alto Networks app.

cody_richardson · ‎12-12-2018

And I would do this on the Search Head not the Indexer?

Palo Alto Networks App & Add-on Setup

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

Alerting Best Practices: How to Create Good Detectors

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...