All Apps and Add-ons

Splunk for Palo Alto Networks: How do I troubleshoot this log parsing issue for PAN firewall?

binbing
New Member

Splunk receives the logs from PAN firewall and logs show up with index=pan_logs, but when I try index=pan_logs sourcetype=pan_config, no logs show up. Then I tried sourcetype=pan_logs instead of sourcetype=pan_config. Logs start showing up after that change, but according to the following message, the logs are not getting parsed correctly.

Check that you are not using a Custom Log Format in the syslog server setting on the firewall.  " NO custom log in use"
Check that the inputs.conf file is configured with the line "no_appending_timestamp = true",  " yes, the line is in the inputs.conf"
No forwarder is in use.

Not sure how to resolve the parsing issue. PAN Firewall version is 6.2.0. Splunk for Palo Alto firewall is version 4.2.1

0 Karma

mbenwell
Communicator

What Splunk architecture do you have?

As sourcetype=pan_logs works, I suspect you might have simply incorrectly named the sourcetype incorrectly in inputs.conf. It should be 'sourcetype=pan_log' not 'sourcetype=pan_logs'. The app will rewrite sourcetype=pan_log to other sourcetypes based on data being sent in with a sourcetype of 'pan_log'.

If sourcetype=pan_logs happens to be a typo and the sourcetype is actually 'pan_log', then I suspect you have a distributed architecture. In a distributed architecture there are some processes (in particular the sourcetype renaming) which are performed by the indexers as data goes in. The main config you need is in the props.conf and transforms.conf files (should be here: $SPLUNK_HOME/etc/apps/SplunkforPaloAltoNetworks/default/). The configuration in these files is what rewrites the pan_log sourcetype to each respective sourcetype based on text in each log message.

Hope that helps

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...