Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
- Find Answers
- :
- About btorresgil
btorresgil
Builder
Member since:
06-08-2013
02-04-2021
Community Statistics
| Posts | 140 |
| Solutions | 26 |
| Karma Given | 5 |
| Karma Received | 64 |
| Member Since | 06-08-2013 |
Activity Feed
- Got Karma for Re: Palo Alto App cannot see data but logs are seen as PAN:*. 06-05-2020 12:50 AM
- Got Karma for Re: Threatlist Error after clean install of Palo Alto App and Add-on 6.0. 06-05-2020 12:49 AM
- Got Karma for Re: Threatlist Error after clean install of Palo Alto App and Add-on 6.0. 06-05-2020 12:49 AM
- Got Karma for Re: User Behavior search error in Tsidxstats 6.0. 06-05-2020 12:49 AM
- Karma Re: How do I get the Palo Alto Networks App for Splunk to parse URLs with commas? for MonkeyK. 06-05-2020 12:48 AM
- Got Karma for Re: Why does the Palo Alto Networks App for Splunk make calls out to Palo Alto?. 06-05-2020 12:48 AM
- Got Karma for Re: Palo Alto Networks App for Splunk: Is it possible to restrict certain Palo Alto traffic logs?. 06-05-2020 12:48 AM
- Got Karma for Re: Support for the 'Authentication' and 'Network Session' data models on the Splunk_TA_paloalto. 06-05-2020 12:48 AM
- Got Karma for Re: Support for the 'Authentication' and 'Network Session' data models on the Splunk_TA_paloalto. 06-05-2020 12:48 AM
- Got Karma for Re: Why do I only see version 5.3 of the Palo Alto Networks App for Splunk on Internet Explorer?. 06-05-2020 12:48 AM
- Got Karma for Re: How to capture URL information. 06-05-2020 12:48 AM
- Got Karma for Re: Palo Alto Networks App for Splunk: Why is Traps data not properly populating in the Endpoint tab?. 06-05-2020 12:48 AM
- Karma Re: Do we need to install the Palo Alto Networks App for Splunk on all of our indexers? for lguinn2. 06-05-2020 12:47 AM
- Karma Re: How do I divide multiple values in a field into new separate fields at search-time? for sundareshr. 06-05-2020 12:47 AM
- Got Karma for Re: Get an error clicking on any of the pie-charts on the Threats Dashboard. 06-05-2020 12:47 AM
- Got Karma for Re: Dashboards not populating other than main Palo Alto Network Overview Dash. 06-05-2020 12:47 AM
- Got Karma for Re: Why are other apps showing errors about missing PAN lookup files after upgrading Splunk for Palo Alto Networks to 4.1.2?. 06-05-2020 12:47 AM
- Got Karma for Re: Why are other apps showing errors about missing PAN lookup files after upgrading Splunk for Palo Alto Networks to 4.1.2?. 06-05-2020 12:47 AM
- Got Karma for Re: Why are other apps showing errors about missing PAN lookup files after upgrading Splunk for Palo Alto Networks to 4.1.2?. 06-05-2020 12:47 AM
- Got Karma for Re: Why are other apps showing errors about missing PAN lookup files after upgrading Splunk for Palo Alto Networks to 4.1.2?. 06-05-2020 12:47 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 7 | |||
| 2 | |||
| 1 | |||
| 3 |
11-14-2014
09:53 AM
Hello,
First, you should know that the Splunk app for Palo Alto Networks doesn't yet support PAN-OS 6.1 threat logs. The logs will be indexed and when they are supported even old logs will look right, but some of the fields may be a little off right now. Traffic, config, and system logs work fine.
Now regarding your question, it's good that you're getting system and config logs. The other log type require a log forwarding profile to be attached to a rule in your security policy. Make sure that there is traffic through the firewall that matches a rule in your security policy with a log forwarding profile attached. Once that's done, if you enable logging for the start or end of a session in that rule then you'll get traffic logs in Splunk, and if you add a security profile (like Vulnerability Protection or URL Filtering) to the rule then you'll get threat logs in Splunk.
... View more
11-04-2014
10:12 AM
Hi Jon,
The threat details dashboard relies on a combination of threat and traffic logs. Ensure you're sending traffic logs to Splunk by enabling 'start' and/or 'end' logs in the same security rule where the threat profiles are applied. You can verify you're receiving traffic logs in Splunk by using the macro:
`pan_traffic`
-Brian
... View more
10-29-2014
08:40 AM
Hello,
You'll want to download the "Splunk for Palo Alto Networks" app from here: http://apps.splunk.com/app/491
Once you have that and have configured it per the documentation on that same page, then the syslogs will automatically be indexed with the correct fields.
The app comes with many pre-defined dashboards and reports. But you can define your own using the Splunk search or Data Model Pivot feature.
For example, you could use the following searches to generate the reports as tables:
Report 1:
index=pan_logs sourcetype=pan_traffic (application!=unknown-tcp AND application!=unknown-udp) | stats count by src_ip dst_ip application action | sort -count
Report 2:
index=pan_logs sourcetype=pan_traffic (application=unknown-tcp OR application=unknown-udp) | stats count by src_ip dst_ip protocol dst_port application action | sort -count
... View more
10-16-2014
10:48 AM
3 Karma
Hi JSapienza,
Thanks for pointing out this issue, I put out a fix in version 4.1.3 of the app. Let me know in a comment if there are any other problems you notice with the meta files.
Thanks!
-Brian
... View more
10-10-2014
04:44 PM
This change is no longer needed in version 4.1.2 and higher. These versions of the Palo Alto Networks app contain the change already.
... View more
10-10-2014
04:41 PM
1 Karma
Looks like the Datamodel is stuck in Building status. To start, I recommend upgrading to the latest version of the app, 4.1.2, which has the fix you mentioned for the Datamodel. Then remove any changes to the data model by deleting the directory SplunkforPaloAltoNetworks/local/data/models. Then restart Splunk and rebuild the data model by clicking the 'rebuild' button. That should cause the data to accelerate and the dashboards to populate.
Also ensure that you've installed the app on your search heads and indexers and that the 'pan_logs' index exists and contains your firewall logs.
... View more
08-28-2014
09:03 AM
Hello,
If the logs are coming in as sourcetype=pan_log, then that is usually due to a parsing issue because it is supposed to parse the logs and separate them into different sourcetypes. Typically it can't parse the logs because they have been changed in some way from their original default format. Check that you aren't using a custom log format on the firewall, and that your syslog-ng server isn't changing the logs so that the parser can't determine the correct sourcetype for each log.
-Brian
... View more
08-11-2014
09:03 AM
Hello,
All the dashboards work off the same datamodel, so if one dashboard is showing data but the others aren't, it's probably because the firewall isn't sending the other kinds of syslogs (like threat, config, system, etc). You can use the troubleshooting guide to try and send config logs and see if they show up in the config dashboard:
Splunk for Palo Alto Networks App - Troubleshooting guide:
https://live.paloaltonetworks.com/docs/DOC-6593
... View more
07-31-2014
08:48 AM
3 Karma
Hello,
There is an installation and troubleshooting guide available here:
https://live.paloaltonetworks.com/docs/DOC-6593
If you have a specific issue, please feel free to open a new question with a description of the problem you're having.
Thanks!
-Brian
... View more
07-08-2014
08:12 AM
2 Karma
Hello,
Usually the clock or timezone is wrong on the Splunk server or firewall, but since you checked that, you're probably missing the " no_appending_timestamp = true " in your inputs.conf. Make sure the inputs.conf entry looks something like this:
[udp//5514]
connection_host = ip
index = pan_logs
sourcetype = pan_log
no_appending_timestamp = true
Here is a guide on configuring and troubleshooting the app:
https://live.paloaltonetworks.com/docs/DOC-6593
Please let us know if that fixes the issue. Thanks!
... View more
06-20-2014
08:27 AM
2 Karma
The Splunk for Palo Alto Networks App has a data model and dashboards built in. There is a dashboard called Web Activity Report that has the websites, you could easily add users to the panels. Or you can use a pivot to build your own by clicking 'Settings' at the top right, then 'Datamodel', select the Palo Alto Networks Logs data model, and click 'Pivot'. Here you can build a pivot with the fields 'user' and 'dst_hostname' to get the report you want.
Splunk for Palo Alto Networks App:
http://apps.splunk.com/app/491/
... View more
05-16-2014
09:11 AM
2 Karma
You can change the limits in the datamodel settings. The default for the Palo Alto Networks app is 1 year of data summarized, but you can adjust it down to months or days using these steps:
Goto the Splunk for Palo Alto Networks App
In the top right, click "Settings" -> "Data Models"
For the "Palo Alto Networks Logs" data model, click "Edit" -> "Edit Acceleration"
Change the "Summary Range" from "1 Year" to your desired value.
Note that the dashboards in the app use accelerated data, so this setting defines the timerange available in the dashboards.
... View more
05-08-2014
11:04 AM
You can remove tags by adding action=rem to the command. If the tag doesn't exist and you try to remove it, you may get an error, but it can be safely ignored.
... View more
05-02-2014
02:44 PM
Use one of the special commands in the app. For dynamic address groups, you're probably looking for the pantag command.
https://github.com/PaloAltoNetworks-BD/SplunkforPaloAltoNetworks/wiki/Special-Searchbar-Commands
... View more
04-08-2014
11:38 AM
Hi chuffpdx,
With the version of the App you're using, there is no built-in way to keep these files in check. This is a limitation of the TSIDX system from Splunk 5. You can remove the files manually... shut down splunk, remove the pan_* directories, then start splunk. You can write a script to do this periodically, but it will prevent historic data from begin visible in the dashboards of the app if you remove the files, because you're deleting that historic data.
Starting with version 4.1 of the Palo Alto Networks App, it uses the new Splunk 6 datamodel feature instead of TSIDX. The datamodel automatically limits the amount of historic data in the summary index to an amount you specify (1 year by default). If you upgrade to Splunk 6 and Palo Alto Networks app version 4.1 or higher, then you won't have these TSIDX files anymore.
... View more
04-08-2014
11:25 AM
Hi gafrol,
For the content and web activity report dashboards to populate, you need to send URL syslogs to Splunk. For the WildFire dashboard you need to send WildFire syslogs to Splunk.
URL syslogs require the URL Filtering license on the firewall, and WildFire logs require a WildFire license on the firewall.
If you are sending the logs and they still aren't populating, try using the macro pan_url to verify the logs are getting received and parsed correctly.
... View more
03-26-2014
02:20 PM
The dashboards should populate after 5 mins. Strange that it took longer, but glad it's working now.
... View more
03-20-2014
02:40 PM
2 Karma
'summariesonly=t' helps. In testing page response times, tsidx takes 9 seconds, datamodel takes 15 seconds, datamodel with summariesonly takes 11 seconds. Is there any way to do summariesonly with the |pivot command instead of the |tstats command? Or do I have to convert all my |pivots to |tstats?
... View more
02-06-2014
09:06 AM
7 Karma
Working on my app, I have converted all of the TSIDX-based dashboards over to an accelerated Data model. So instead of using "|tstats FROM tsidxindex" everywhere, now I'm using either "|tstats FROM datamodel=mydatamodel" or "|pivot" to create all of the charts on the dashboards. The datamodel is accelerated and the accelerated index is 100% built.
However...
On the same exact servers with roughly the same amount of data, I've noticed that the dashboards take much longer to populate the graphs and tables when using the accelerated datamodel than they did when using just TSIDX summary indexes. On the order of 5-20 seconds longer for the datamodel. This makes navigating the dashboards feel slow and clunky as the charts and tables slowly populate over time. There is very little data in my test environment, less than 1 Gig.
On some servers the charts and tables will even hang around 50% loaded and won't complete even after 30 seconds of waiting. I'm not sure if this is the same issue or a different issue, because it only affects some servers while the slowness affects all of them. But the hanging issue also never affected the TSIDX summary indexes, only since I switched to datamodel.
... View more
12-16-2013
03:04 PM
Hi cuke, the credentials in the setup screen will always be empty, even when a user and password have been entered previously, that's just how setup.xml works. The user and password are stored in SplunkforPaloAltoNetworks/local/app.conf. You might try starting over by removing any credentials found in that file, and entering the credentials again in the browser on the setup screen. There isn't any feedback if it works correctly, you'll just find that local/app.conf now has encrypted credentials, which means it worked.
That lack of feedback from setup.xml isn't ideal, but we handle it this way so that the credentials are stored encrypted. I believe in this case security is more important than convenience.
... View more
11-04-2013
02:39 PM
Hello, I recommend opening a Splunk support ticket on this one. Sounds like an issue outside of the app.
... View more
10-21-2013
08:42 PM
After further investigation, it's not just dashboard timepickers that are being ignored. If I go to Pivot and put 'All time' or '2 seconds' I get the same results, which is incorrect. Also, it doesn't affect every server with Splunk, only some (I have one where it is currently reproduced).
I also observed that the data model on that server is accelerated, but under the acceleration info it says 'Size on Disk' is '0.00MB', even though it says the status is 100% completed. Perhaps the datamodel is getting corrupted somehow?
... View more
10-21-2013
08:06 PM
Thanks, I tried adding the earliest and latest parameters to the populatingSearch element, but it didn't change anything. Still getting the same error.
Keep in mind that the error I'm seeing is not on the dashboard in the original question, it's actually on this dashboard which leverages the Data Model:
https://github.com/PaloAltoNetworks-BD/SplunkforPaloAltoNetworks/blob/feature/datamodel/default/data/ui/views/traffic_overview.xml
I don't know if the error in the screenshot is related to the original problem which is the dashboard timepicker is being ignored.
... View more
10-21-2013
04:58 PM
I just tried changing the to a default tag like you suggested, and I tried removing the earliestTime and latestTime tags from one of the panels, but I see the same behavior.
... View more
10-21-2013
04:46 PM
I don't think these lines are problems because they were created by Splunk when the dashboard was created. So if those lines are wrong, then Splunk is creating them wrong.
The example link above may be a bad example because it has a workaround for the problem in it. Here is an example that consistently manifests the issue:
https://github.com/PaloAltoNetworks-BD/SplunkforPaloAltoNetworks/blob/feature/datamodel/default/data/ui/views/traffic_overview.xml
Here is an error I get when accessing that dashboard, and the inspection info:
https://paloaltonetworks.box.com/splunk-timerange-issue
... View more
- « Previous
- Next »
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
02-04-2021
07:34 PM
|
