All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Palo Alto Networks App for Splunk: Why is Traps data not properly populating in the Endpoint tab?

david_casey
Path Finder
‎09-19-2016 12:01 PM

Hello Splunkers!

Need help with the Palo Alto TRAPS data not properly populating in the Palo Alto Networks App for Splunk "Endpoint" tab. All other tabs work perfectly.

  1. Running Splunk Enterprise 6.4.0, CentOS7, PA App v5.2.0, PA ESM v3.4.0. Non-clustered environment.

  2. I have a fresh install of the Palo Alto Networks App for Splunk and Palo Alto Networks Add-on for Splunk. The indexer and the search head have both the app and add-on installed per the developer. Permissions have been verified and no errors noted on restarting Splunk.

  3. TRAPS ESM Syslog config updated to point to a Splunk Indexer on TCP 5144. Because I am using TCP I have commented out the inputs.conf entries. I assumed this is correct since this is TCP, not UDP.

  4. A TCP Data Input was created on the indexer. Sourcetype set to "pan:log", App Context set to the PA App, method set to IP, and index set to "pan_logs".

  5. Using the TRAPS test executable provided by PA Support we generated a number of malware events. Splunk sees the events coming into the pan_logs index. Sourcetype shows pan:log correctly. However, PA specific field extractions for TRAPS events appear to not be working as only the basic host, source, sourcetype, eventtype, index, and a few others are automatically discovered.

  6. I have re-run the data models because someone in one of the other posts regarding this app was asked to do so.

  7. End result... notta. Endpoint dashboard is still blank.

This is about as basic as it gets for installing apps in Splunk. Not sure what more needs to be done. Thoughts?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

david_casey
Path Finder
‎09-20-2016 10:46 AM

Update 1: I was able to get the data properly displaying in the Endpoint dashboard by changing the PA ESM Syslog format from SYSLOG to CEF and modifying the Splunk data input to use a manual sourcetype of "pan:endpoint". I am currently sending the PA ESM logs directly to Splunk. The next step is to convert everything back over to using the SYSLOG server with the same PA ESM CEF log format and hope it continues to work correctly. This needs to be future upgrade proof.

View solution in original post

Reply
Solved! Jump to solution
Solution

david_casey
Path Finder
‎09-20-2016 10:46 AM

Update 1: I was able to get the data properly displaying in the Endpoint dashboard by changing the PA ESM Syslog format from SYSLOG to CEF and modifying the Splunk data input to use a manual sourcetype of "pan:endpoint". I am currently sending the PA ESM logs directly to Splunk. The next step is to convert everything back over to using the SYSLOG server with the same PA ESM CEF log format and hope it continues to work correctly. This needs to be future upgrade proof.

Reply
Solved! Jump to solution

btorresgil
Builder
‎09-22-2016 04:48 PM

Hello, I'm one of the App/Add-on developers. It does expect CEF format, sorry if there is any confusion about that. I'll update the documentation to better reflect this requirement. Thanks for your feedback and for following up on your question.

Reply
Solved! Jump to solution

aaraneta_splunk
Splunk Employee
Splunk Employee
‎09-21-2016 03:09 PM

Hi @david_casey - Is this a current working solution to your question? If so, please click "Accept" below your answer to resolve this post. Otherwise, you can leave it alone to see if other users provide other possible solutions. Thank you!

0 Karma
Reply
Solved! Jump to solution

david_casey
Path Finder
‎09-22-2016 05:51 AM

It is. I left it open because I wanted to convert everything back over to syslog running a UF. I may not get to that testing until after .conf so I will mark this as answered for now.

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...