I have Splunk Installed on a windows machine and configured PaloAlto app along with Add on.
I have done configurations on Palo Alto. I can see from packet Capture that palo alto is sending logs successfully to the windows machine where splunk is installed but I cannot see anything in splunk itself. Can anyone help?
Regards
Rabab
That dump looks pretty much OK.
Are you 100% sure your udp:514 input sends to the right index? You can also try to find reports about that particular source of syslog data with
index=_internal source=*metrics.log group=udpin_connections 192.168.3.5
If Splunk is receiving data from this host on that udp input, you should get some results with metrics field like _udp_bps, _udp_eps and so on.
I tried to query "
index=_internal source=*metrics.log group=udpin_connections 192.168.3.5
It did not come back with anything.
I believe i have configured the data input correctly and pointing to right index
At first glance looks pretty OK.
Check your windows firewall.
For testing, I have disabled the windows firewall. But I can see that logs are actually arriving within the windows machine and Splunk is not picking them up.
Well, there are no miracles. I understand that the packets show up on the interface but apparently are not picked up by Splunk. Question is whether it listens on the port at all (even though the input is defined, something might be preventing Splunk from binding to the port).
Did you verify with netstat that the Splunk process is actually listening on this port?
(BTW, I don't remember if you don't need to restart splunkd after adding the input using WebUI or REST. You must do so if you change inputs by config files).
update: I have gone over the configs and
index=_internal source=*metrics.log group=udpin_connections 192.168.3.5
is giving following output.
We're getting somewhere 🙂
As you can see some non-zero values, it means that some data is indeed being received by the udp input. Now we need to find where it goes to.
By the fact that it's a windows installation and because it's called "DESKTOP-something" I assume that it's your private test box and you're not having a lot of data on it. So you can run a
index=*
search over "All time (real-time)" - this is one of the very very rare cases where real-time search makes sanes. Very important - don't try this on any production or heavily loaded test box.
With this you can see the events as they come into your Splunk box (so if your events are rare you might to wait a while). Check the index, source, sourcetype and timestamp of the incoming events.
Another way to find where those events are could be to run
| tstats count where index=* by source sourcetype index
Its all working now, Thank you for your help
For future reference so that if someone finds this thread has full information - tell us what did you do to make things work in the end/what was the problem.
I assume PAlto is sending events as syslog data. As you're using Windows I suspect you're not using any additional syslog receiver but want to receive syslog directly on your Splunk (which is not the best idea but let's leave it for now). Have you configured any inputs on your Splunk instance to receive the syslog events? Do you have proper rules in your server's firewall to allow for this traffic?
Hello PickleRick,
I he created data input o allow udp14 traffic. So is index. Please check these screenshots for clarity,
192.168.3.5 is Palo Device and 192.168.3.1 is windows machine where Splunk is installed
Hi Rabab,
A few more details will be needed to help here.
Is your Palo Alto setup sending directly to Splunk, with a syslog server, or via an HF/UF?
Where have you tried looking for the data? Have you looked to see if any of your indexes are growing?
Hello Paul,
Thank you for a quick response, Its direct from Palo to to Splunk. I am using Paloalto App and Add on, I am not seeing indexes growing at all. I tried looking at the data from Search option and try to match with various filters.
Regards
Rabab