So I'm trying to configure this on a relatively new Splunk install. I have the firewalls sending over some traffic and threat logs. If I search eventtype=pan:log
I get results so my logs are hitting Splunk. However in the PAN app nothing is appearing. It seems like it is not properly changing it to pan_threat, etc.
I'm relatively new to Splunk but it feels like this just isn't being indexed correctly. What do I need to do to make sure this gets parsed correctly?
Configuration on 6.5.0; App version 5.2
Hi @jchamb - Did one of the answers below help provide a solution to your question? If yes, please don't forget to click "Accept" below the best answer and up-vote any answer that was helpful. If no, please provide some more feedback by leaving a comment. Thanks!
Do you have both the Addon and App installed on the Search Head you're using? Also do you pass the logs through a Heavy Forwarder? I use the app successfully currently and our setup is:
Search Heads - Addon & App
Indexers: Addon
Heavy Forwarder: Addon
The configurations that Splunk uses to modify the logs are in the addon's and they need to be in place at both the Search Head level (so it knows what the different PAN objects are) and the point of entry (either HF or Indexer) so it knows what metadata to alter at index time.
Also if it was working for you prior to 6.5, there may have been a change internally which threw off the macros and items the app is using. I noticed there is a new version of the App/Addon posted to the github for this app and it should be on Splunkbase pretty soon I'd think.
Also make sure that your version of PAN OS is compatible with with the Addon version you're using as sometime the formatting is changed by PA.
Please check if your Palo Alto is sending all Logs (threat, url, traffic, wildfire).
I notice a similar behavior, and the cause were some missing threat logs.
IS your palo alto data model accelerated? If I recall correctly the app pulls data in from there
using the tstats command