All Apps and Add-ons

Splunk for Palo Alto Networks app blank when Splunk shows traffic

blarney
Engager

Splunk 6.1.1 build 207789 running on Ubuntu 14.04
PAN appliance logs show successful connection to syslog server.
Using defaults on PAN syslog settings.

Logs are seen with comma delimiters in straight Splunk. However, there is nothing showing up in Splunk for Palo Alto Networks.

Guidance or advise appreciated

Tags (2)
0 Karma
1 Solution

okrabbe_splunk
Splunk Employee
Splunk Employee

The sourcetype for the logs needs to be pan_log and the index should be pan_logs.

The app docs describe this in more detail:

http://apps.splunk.com/app/491/

View solution in original post

0 Karma

okrabbe_splunk
Splunk Employee
Splunk Employee

No problem! Glad you got it working. I posted the comment as an answer so please accept the answer for posterities sake 🙂

0 Karma

okrabbe_splunk
Splunk Employee
Splunk Employee

The sourcetype for the logs needs to be pan_log and the index should be pan_logs.

The app docs describe this in more detail:

http://apps.splunk.com/app/491/

0 Karma

blarney
Engager

thanks, okrabbe_splunk. My misunderstanding of how splunk works with the splunk for palo alto networks app has been cleared up. It is one or the other and not splunk for palo alto networks on top of splunk. had the source type set as pan_log. Was using the default index though. Changing to pan_logs allowed for event support / different index.
http://docs.splunk.com/Documentation/Splunk/6.1.1/Data/Monitornetworkports
Thanks for the pointer.

0 Karma

okrabbe_splunk
Splunk Employee
Splunk Employee

What is the sourcetype and index for the PAN logs? The sourcetype for the logs needs to be pan_log and the index should be pan_logs.

The app docs describe this in more detail: http://apps.splunk.com/app/491/

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...