Hi, I don´t remember how, but I got this document with the steps you need to follow for the integration.
### ### ### ### ### ### ### ### ### ### ### ###
Splunk for Palo Alto Networks App
Description:
Field extractions and sample reports,
and dashboards for the Palo Alto
Networks Firewall
Splunk Version: 4.0.x and Higher
App Version: 1.0.1
Last Modified: Feb - 2011
Authors: Will Hayes - Splunk, Inc.
Karandeep Bains - Splunk, Inc.
For support, contact: bd-labs@splunk.com
### ### ### ### ### ### ### ### ### ### ### ###
*** Installing ***
To install this app:
- Unpack this file into $SPLUNK_HOME/etc/apps
- Restart Splunk
*** Configuring ***
To get the firewall data into Splunk:
Configure a port on the Splunk server to listen for UDP or TCP traffic. If you do not know how to do this, refer to the online documentation here:
http://www.splunk.com/base/Documentation/latest/admin/MonitorNetworkPorts
Important: When you configure the input port, you must set the sourcetype of the firewall data to pan_log. Otherwise, the app will not work.
If you are using UDP input, you will also need to add:
no_appending_timestamp = true
to the UDP stanza in your inputs.conf file. For example:
[udp://5155]
connection_host = ip
sourcetype = pan_log
no_appending_timestamp = true
Next, configure the firewall device to direct log traffic to the Splunk server on the network port that you specified.
*** Source types ***
As Splunk indexes your Palo Alto Networks firewall data, the app will rename the sourcetypes to pan_threat, pan_traffic, pan_config, and pan_system depending on the logging facility.
*** Search macros ***
The dashboards rely on the search macros for views. These macros are defined in $SPLUNK_HOME/etc/apps/SplunkforPaloAltoNetworks/default/macros.conf.
You should only edit the base macros. If you already have data that has been indexed as a different sourcetype, add your sourcetype to the definition. For example:
definition = sourcetype="pan_traffic" OR sourcetype="foo" OR sourcetype="bar"
Important: All other macros should not be edited.
*** Lookups ***
Lookups are provided for the threat_id and app field to provide additional information about threats and applications on the network.
*** Summary indexing ***
If you are indexing large volumes of data, you should use summary indexing for the views. This feature requires an Enterprise License.
Use the Manager link to enable these searches:
SI - PAN - Traffic - DataCube
SI - PAN - Traffic - DataCube 2
SI - PAN - Threat - DataCube
SI - PAN - Threat - DataCube 2
SI - PAN - Web Activity - DataCube
SI - PAN - Web Activity - DataCube2
There are six scheduled searches create a cache for the dashboards every 5 minutes. If you need to change the run schedule of any of the searches, you can edit its properties using Manager.
Rename:
$SPLUNK_HOME/etc/apps/SplunkforPaloAltoNetworks/local/macros.conf.summary
to
$SPLUNK_HOME/etc/apps/SplunkforPaloAltoNetworks/local/macros.conf
Restart Splunk
Note:
- After restart, it can take up to 5 minutes for new data to show up.
- For older data, you can use the backfill feature of splunk to backfill the summary index:
http://www.splunk.com/base/Documentation/latest/Knowledge/Managesummaryindexgapsandoverlaps#Use_the_backfill_script_to_add_other_data_or_fill_summary_index_gaps
Known issues with Summary Indexed data:
- Drilldown does not work with summary indexed data.
- Filtering does not work with summary indexed data.
We hope to have these issues resolved in future releases of the app.
... View more