- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Splunk for Palo Alto HELP with Initial Configurati...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Splunk for Palo Alto HELP with Initial Configuration
We're trying to deploy the SPLUNK FOR PALO ALTO app in our environment (Windows). The app seems to have loaded correctly, as well as the required resources from the apps page.
We setup the configs on the Palo Alto side and traffic appears to be hitting the Splunk environment however nothing is showing up in Splunk.
The inputs.conf file is defined as:
[udp://514]
index = pan_logs
connection_host = ip
sourcetype = pan_log
no_appending_timestamp = true
disabled = 0
With the macros.conf file as:
[pan_index]
definition = index=pan_logs
[pan_threat]
definition = pan_index (sourcetype="pan_threat" OR sourcetype="pan_threat-2050") NOT "THREAT,url"
[pan_threat_all]
definition = pan_index (sourcetype="pan_threat" OR sourcetype="pan_threat-2050")
[pan_traffic]
definition = pan_index sourcetype="pan_traffic"
[pan_system]
definition = pan_index sourcetype="pan_system"
[pan_config]
definition = pan_index sourcetype="pan_config"
[pan_web_activity]
definition = pan_index "THREAT,url" (sourcetype="pan_threat" OR sourcetype="pan_threat-2050")
[pan_url]
definition = pan_index "THREAT,url" (sourcetype="pan_threat" OR sourcetype="pan_threat-2050")
[pan_data_filtering]
definition = pan_index "THREAT,data" (sourcetype="pan_threat" OR sourcetype="pan_threat-2050")
[pan_data]
definition = pan_index "THREAT,data" (sourcetype="pan_threat" OR sourcetype="pan_threat-2050")
[pan_wildfire]
definition = pan_index "THREAT,wildfire" (sourcetype="pan_threat" OR sourcetype="pan_threat-2050")
[pan_wildfire_report]
definition = pan_index sourcetype="pan_wildfire_report"
[tstats]
definition = tstats
definition = tstats prestats=true local=tstats_local
[tstats_local]
definition = false
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi rheed. Here are a few things to check...
First, click 'Search' in the menu bar, set the time range to "All time", and use one of the available macros, like...
`pan_index`
Just for clarity, those are back-ticks surrounding the macro, not apostrophes. You should get at least one event to come up with this search.
If you see events here, verify they are in a format where each field is separated by a comma. If the fields are separated by spaces or any other character, you probably have a custom format set in your firewall syslog settings. Remove it to restore the default syslog format.
If you did not see events in the search, try these troubleshooting steps...
- Try removing the line
no_appending_timestamp = truefrom inputs.conf. - Use Wireshark or tcpdump on UDP 514 of the Splunk server to verify you're receiving the syslogs.
- On the firewall, check what log types you are sending to Splunk in your Log Forwarding Profile. Try sending all types of traffic and threat logs.
- On the firewall, ensure your security policy is logging when a connection ends, and using your Log Forwarding Profile. (you can also log connection starts)
Let me know if any of these helps solve the issue. Thanks!
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
