The way syslog is setup is the firewall is forward to the management platform and this will forward the syslog into splunk. So we are getting the logs from management platform in Splunk in our default indexer which "AAA" and default source type "BBB" .
We have also installed Palo Alto add-on to indexers (in cloud) and also deployed palo Alto app on search head .
we have created a props.conf and transforms.conf which is segrating the Palo Alto data from default soucertype "AAA" to "pan:logs" . So now we have palo alto data coming in to our default indexer "AAA" and soucertype "pan:logs" .
Now, I have seen in some of the articles where it mention that in case of palo alto the index is suppose to be "pan_log" and soucretype is "pan_log" . is this something what I need to do in order to see data to be populated in Palo Alto app in spunk ?
The Palo Alto TA separates the different types of logs into different sourcetypes (
pan:traffic, etc). It does this by way of a TRANSFORM defined for the
It sounds like you have your logs coming in as sourcetype
AAA, and your indexer is changing this via a TRANSFORM to
pan:log. The issue with this is the Palo Alto TA TRANSFORMS will never run against your data unless they first hit the indexer with the
pan:log sourcetype. It will not work for them to come in initially as something other than
pan_log, as you've seen referenced as well). And this does require the TA to be in place on the indexer (or heavy forwarder, if that's where the logs go through one before reaching the indexer).
My suggestion is to find a way to get those logs sourcetyped correctly as
pan:log when they are first brought in to Splunk.
appreciate your response.
So, recently we finished installing Palo Alto App/add-on SH and indexers. One good thing is now that I am able to see 4 source type populating automatically:
I can see all 4 sourcetype now i.e
But, I none of my dashboard in Palo Alto gives any result.
Please look here
Where to install It's recommended to install both the Palo Alto Networks App and Add-on on all Search Heads, Indexers, and Heavy Forwarders. Do not install on Universal Forwarders.
Also see props.conf in app(Palo Alto add-on). I think that if you do the same setting it will import correctly.
Thanks for your response.
We have installed Palo Alto add-on and App both on Search Head / Indexers.
So, Next you want me to try copying the Props.conf settings from Palo Alto App and add the same setting to Palo Alto Add-on ? Please confirm.
What is the result of the execution below?
Acceleration of the data model may be disabled.Please rebuild the acceleration of the data model.
| tstats summariesonly=t count FROM datamodel="pan_firewall"
| tstats summariesonly=f count FROM datamodel="pan_firewall"
6 Events Edit
Shared in App. Owned by nobody. Edit
Rebuild Update Edit
159. Last Access: 1/10/18 1:08:47.000 AM
Size on Disk
1/10/18 1:10:10.000 AM
There seems to be no wrong setting.
Does not really display anything?
User Behavior>Traffic Events search sentence.
| tstats summariesonly=t latest(_time) AS _time, values(log.log_subtype) AS log.log_subtype, values(log.http_category) AS log.http_category, values(log.app:is_saas) AS log.app:is_saas, values(log.app:default_ports) AS log.app:default_ports, values(log.app) AS log.app, values(log.user) AS log.user, values(log.file_name) AS log.file_name, values(log.file_hash) AS log.file_hash, values(log.url) AS log.url, values(log.dest_name) AS log.dest_name, values(log.dest_port) AS log.dest_port, values(log.severity) AS log.severity, values(log.bytes_in) AS log.bytes_in, values(log.bytes_out) AS log.bytes_out count FROM datamodel="pan_firewall" WHERE (nodename="log.traffic" OR nodename="log.url" OR nodename="log.data") """" GROUPBY sourcetype log.serial_number log.session_id log.client_ip log.server_ip log.src_ip | rename log.* AS * | search log_subtype="end" | stats count