Hi,
Please, could anybody explain the configuration steps for Palo Alto App?
The installation is like the rest of the apps, but the initial customization is not explained anywhere, and I think it´s very important to know what logging level in Palo Alto we need to enable and how it´s the concrete Splunk customization to locate its Out of the Box source type.
Thanks in advance.
Hi, I don´t remember how, but I got this document with the steps you need to follow for the integration.
*** Installing ***
To install this app:
- Unpack this file into $SPLUNK_HOME/etc/apps
- Restart Splunk
*** Configuring ***
To get the firewall data into Splunk:
http://www.splunk.com/base/Documentation/latest/admin/MonitorNetworkPorts
Important: When you configure the input port, you must set the sourcetype of the firewall data to pan_log. Otherwise, the app will not work.
If you are using UDP input, you will also need to add:
no_appending_timestamp = true
to the UDP stanza in your inputs.conf file. For example:
[udp://5155]
connection_host = ip
sourcetype = pan_log
no_appending_timestamp = true
*** Source types ***
As Splunk indexes your Palo Alto Networks firewall data, the app will rename the sourcetypes to pan_threat, pan_traffic, pan_config, and pan_system depending on the logging facility.
*** Search macros ***
The dashboards rely on the search macros for views. These macros are defined in $SPLUNK_HOME/etc/apps/SplunkforPaloAltoNetworks/default/macros.conf.
You should only edit the base macros. If you already have data that has been indexed as a different sourcetype, add your sourcetype to the definition. For example:
definition = sourcetype="pan_traffic" OR sourcetype="foo" OR sourcetype="bar"
Important: All other macros should not be edited.
*** Lookups ***
Lookups are provided for the threat_id and app field to provide additional information about threats and applications on the network.
*** Summary indexing ***
If you are indexing large volumes of data, you should use summary indexing for the views. This feature requires an Enterprise License.
SI - PAN - Traffic - DataCube
SI - PAN - Traffic - DataCube 2
SI - PAN - Threat - DataCube
SI - PAN - Threat - DataCube 2
SI - PAN - Web Activity - DataCube
SI - PAN - Web Activity - DataCube2
There are six scheduled searches create a cache for the dashboards every 5 minutes. If you need to change the run schedule of any of the searches, you can edit its properties using Manager.
$SPLUNK_HOME/etc/apps/SplunkforPaloAltoNetworks/local/macros.conf.summary
to
$SPLUNK_HOME/etc/apps/SplunkforPaloAltoNetworks/local/macros.conf
Note:
- After restart, it can take up to 5 minutes for new data to show up.
- For older data, you can use the backfill feature of splunk to backfill the summary index:
Known issues with Summary Indexed data:
- Drilldown does not work with summary indexed data.
- Filtering does not work with summary indexed data.
We hope to have these issues resolved in future releases of the app.
Did you ever get this question answered? I have the same issue.
I recommend emailing bd-labs@splunk.com with your question.