We are currently sending all of our Palo Alto syslogs to a syslog server that collects multiple machines syslogs and forwards them via a universal forwarder to our splunk instance.
We filtered out all logs tagged with the palo alto device name and set the sourcetype to pan_log
heres the piece of our inputs.conf broken out for the palo alto logs from our syslog server /prod/splunkforwarder/etc/apps/syslog/default/inputs.conf [monitor:///prod/remotesyslog/logs/paloalto/] blacklist=.gz$ disabled=false sourcetype=pan_log host_segment=4 index=syslog
The index=syslog is the generic index name we use for all syslogs rather than 'main' or 'default' etc.
we also made an update to the macros.conf on the application side via our search head and included the index name under : opt/splunk/etc/apps/SplunkforPaloAltoNetworks/default#
[pan_threat] definition = index=syslog sourcetype="pan_threat" NOT "THREAT,url"
[pan_traffic] definition = index=syslog sourcetype="pan_traffic"
[pan_system] definition = index=syslog sourcetype="pan_system"
[pan_config] definition = index=syslog sourcetype="pan_config"
[pan_web_activity] definition = index=syslog sourcetype="pan_threat" "THREAT,url"
Oddly enough under this dir /opt/splunk/etc/apps/SplunkforPaloAltoNetworks/local#
the inputs.conf listed there is empty..? is this correct?
Now as it stands I am able to see under splunk deployment monitor a pan_log sourcetype that is receiving traffic but I am unable to view any data under the palo alto app or by doing an independent search such as sourcetype="pan_log" or 'pan_threat' etc.
Any help would be greatly appreciated.
asked 26 Oct '12, 12:10
adding to the summary indexing discussion: please take a look at this post: Summary indexing on a search head on Splunk Answers . also, if you plan on using multiple indexers, i would discourage the use of summary indexes for now. admittedly, the summary indexing use is not the best in this app. the summaries are of a high dimensionality, which results in a low summarized to raw data ratio. ultimately, the summaries will become very large. i am working on a better strategy for this.
'pan_threat' host="pa*" : i was unable to recreate this issue. this search works ok on a newly installed splunk instance with a fresh install of the app.
the reason for : This - index="pan_logs" pan_threat | bin _time span=5m | fillnull vsys app category src_ip dst_ip severity RISK threat_id CATEGORY | stats count by vsys app threat_id severity category src_ip dst_ip log_subtype CATEGORY RISK _time works
because the pan_logs index is not in the default search path of the user running the search.
i appreciate your feedback. i have added several things to my to do list for the next version of the app. happy to talk to you in person about some of this.
The app's main dashboard page has inline searches. Those searches use index=pan_logs. Other views have searches built on the macros. You have already modified those macros. But adding the index=syslog was not neccessary for those views.
Lastly, it is a good practice to keep different log types separated by indexes. I would not recommend sending all syslog type logs into one index.
answered 11 Dec '12, 20:18
You shouldn't be editing anything in the default folder. Anything you want to modify should be in the local folder. I believe stanza/section's in local supersede anything in default. Here is what my inputs.conf in /opt/splunk/etc/apps/SplunkforPaloAltoNetworks/local
answered 01 Dec '12, 10:20
Ok hate to use the answer box because this is only kinda an answer based off everything I've gathered from people on this thread, so if another noob is searching and finds this hopefully this overview will get them part way there pretty quickly without sifting and piecing together all this from the whole thread, aside from my added issue at the bottom that is
Overview: Distributed search
I am still having a few other issues but I'll post those as a comment on this.
I have an existing syslog server that was already receiving PaloAlto logs. I've installed the universal forwarder on the syslog server and it is successfully sending the data to splunk. The PA app seems to be working ok, with the exception that searches by username always return no data. If I use the default splunk search page, I would like the 'host' field to be populated with the hostname of the firewall that generated the log message. Right now, it is always populated with the name of the logfile "firewall.log". I have tried several iterations of transforms.conf and props.conf on the syslog/forwarder host. Here are the current contents:
answered 14 May '13, 08:58