All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk for Palo Alto Networks: How do I troubleshoot this log parsing issue for PAN firewall?

binbing
New Member
‎06-28-2015 03:20 PM

Splunk receives the logs from PAN firewall and logs show up with index=pan_logs, but when I try index=pan_logs sourcetype=pan_config, no logs show up. Then I tried sourcetype=pan_logs instead of sourcetype=pan_config. Logs start showing up after that change, but according to the following message, the logs are not getting parsed correctly. 

Check that you are not using a Custom Log Format in the syslog server setting on the firewall.  " NO custom log in use"
Check that the inputs.conf file is configured with the line "no_appending_timestamp = true",  " yes, the line is in the inputs.conf"
No forwarder is in use.

Not sure how to resolve the parsing issue. PAN Firewall version is 6.2.0. Splunk for Palo Alto firewall is version 4.2.1

0 Karma
Reply

mbenwell
Communicator
‎06-29-2015 03:50 AM

What Splunk architecture do you have?

As sourcetype=pan_logs works, I suspect you might have simply incorrectly named the sourcetype incorrectly in inputs.conf. It should be 'sourcetype=pan_log' not 'sourcetype=pan_logs'. The app will rewrite sourcetype=pan_log to other sourcetypes based on data being sent in with a sourcetype of 'pan_log'.

If sourcetype=pan_logs happens to be a typo and the sourcetype is actually 'pan_log', then I suspect you have a distributed architecture. In a distributed architecture there are some processes (in particular the sourcetype renaming) which are performed by the indexers as data goes in. The main config you need is in the props.conf and transforms.conf files (should be here: $SPLUNK_HOME/etc/apps/SplunkforPaloAltoNetworks/default/). The configuration in these files is what rewrites the pan_log sourcetype to each respective sourcetype based on text in each log message.

Hope that helps

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...