All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Palo Alto Networks App for Splunk: How are Traps logs collected?

mattmasog
New Member
‎04-20-2016 10:03 AM

Looking for confirmation of how we have the Traps logs coming into Splunk (v6.3.3). The "Endpoints" portion of the app continues to show no data, but I can use eventtype="pan_endpoint" and see all of the Traps logs. Currently I have the inputs.conf file configured as:

sourcetype = pan_endpoint
index = pan_logs

Should the sourcetype be "pan_log"? I've had it that way previously and was getting nothing with a search of 'pan_endpoint' from the PA app. Essentially, the app has never worked, but at least I could see/search the logs as configured above. I'm wondering if its a bug in the app or in my configuration?

0 Karma
Reply

kchamplin_splun
Splunk Employee
Splunk Employee
‎04-20-2016 01:12 PM

What version of the app are you running? The latest build, out of the box, writes to main index, not pan_logs.

0 Karma
Reply

mattmasog
New Member
‎04-21-2016 08:26 AM

Here's what I have in the \Splunk_TA_paloalto\local inputs.conf:
[udp://514]
sourcetype = pan:log
no_appending_timestamp = true

Here's what I have in our syslog monitoring folder\local\inputs.conf:
[monitor://{REDACTED}\palo_alto\pa_traps**.log]
sourcetype = pan:log

index = pan_logs

host_segment = 7

There is no change to whether I have the "index" field of the syslog folder commented out or not. Previously on the syslog monitoring input, I had a sourcetype = pan_endpoint and when I would do a search in splunk, the logs would come in as pan_endpoint, however the Endpoints tab in the PAN App would not populate data. With the sourcetype = pan_endpoint I could use the PAN App, Endpoint - Searches & Reports - Search Endpoint Log Data and pan_endpoint would appear in the search field and logs would show up. That was how I "knew" to put in the syslog setting a sourcetype = pan_endpoint.

So in either scenario: using what the PA configuration documentation says OR putting pan_endpoint via the syslog input, none of the graphs/charts populate endpoint data. Further, if I comment out the "sourcetype = pan:log" in the syslog inputs.conf, the entire PAN app and all dashboards are rendered useless.

Thanks for the help!

0 Karma
Reply

kchamplin_splun
Splunk Employee
Splunk Employee
‎04-28-2016 02:29 PM

Sorry for the delay - I spoke with the developers at PAN and it looks like some recent updates to the app and TA will resolve issues with newer version of TRAPS. They are both updated on Splunkbase

0 Karma
Reply

mattmasog
New Member
‎04-20-2016 04:02 PM

v5.0.1 of the PAN App.

All the other tabs work fine and we have configured in the syslog inputs.conf what I'd referenced above. Are you saying I should remove the sourcetype and index fields from there and let the system choose itself (based on the PAN App being installed on the Search Heads and Indexers)?

0 Karma
Reply

kchamplin_splun
Splunk Employee
Splunk Employee
‎04-20-2016 04:25 PM

http://pansplunk.readthedocs.org/en/latest/getting_started.html?highlight=traps

For version 5.x of the app, the inputs.conf configuration should look siilar to the the below (per the above link) just use the right sourcetype:

App version 5.x or Add-on

[udp://514]
sourcetype = pan:log
no_appending_timestamp = true

App version 4.x and 3.x

[udp://514]
index = pan_logs
sourcetype = pan_log
no_appending_timestamp = true

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...