All Apps and Add-ons

Palo Alto Apps not showing any data

raomu
Explorer

The way syslog is setup is the firewall is forward to the management platform and this will forward the syslog into splunk. So we are getting the logs from management platform in Splunk in our default indexer which "AAA" and default source type "BBB" .

We have also installed Palo Alto add-on to indexers (in cloud) and also deployed palo Alto app on search head .

we have created a props.conf and transforms.conf which is segrating the Palo Alto data from default soucertype "AAA" to "pan:logs" . So now we have palo alto data coming in to our default indexer "AAA" and soucertype "pan:logs" .

Now, I have seen in some of the articles where it mention that in case of palo alto the index is suppose to be "pan_log" and soucretype is "pan_log" . is this something what I need to do in order to see data to be populated in Palo Alto app in spunk ?

please suggest..

Tags (2)

micahkemp
Champion

The Palo Alto TA separates the different types of logs into different sourcetypes (pan:config, pan:traffic, etc). It does this by way of a TRANSFORM defined for the pan:log sourcetype.

It sounds like you have your logs coming in as sourcetype AAA, and your indexer is changing this via a TRANSFORM to pan:log. The issue with this is the Palo Alto TA TRANSFORMS will never run against your data unless they first hit the indexer with the pan:log sourcetype. It will not work for them to come in initially as something other than pan:log (or pan_log, as you've seen referenced as well). And this does require the TA to be in place on the indexer (or heavy forwarder, if that's where the logs go through one before reaching the indexer).

My suggestion is to find a way to get those logs sourcetyped correctly as pan:log when they are first brought in to Splunk.

0 Karma

raomu
Explorer

appreciate your response.
So, recently we finished installing Palo Alto App/add-on SH and indexers. One good thing is now that I am able to see 4 source type populating automatically:

Example :

index=AAA sourcetype=pan:*

I can see all 4 sourcetype now i.e

1) pan:log
2)pan:traffic
3)pan:system
4)pan:threat

But, I none of my dashboard in Palo Alto gives any result.

Please suggest.

0 Karma

HiroshiSatoh
Champion

Please look here

Where to install 

It's recommended to install both the Palo Alto Networks App and Add-on on all Search Heads, Indexers, and Heavy Forwarders. Do not install on Universal Forwarders.

Also see props.conf in app(Palo Alto add-on). I think that if you do the same setting it will import correctly.

0 Karma

raomu
Explorer

Thanks for your response.
We have installed Palo Alto add-on and App both on Search Head / Indexers.
So, Next you want me to try copying the Props.conf settings from Palo Alto App and add the same setting to Palo Alto Add-on ? Please confirm.

0 Karma

HiroshiSatoh
Champion

See [pan_log] in props.conf of TA_Palo. Adding the same settings to your props.conf will be imported correctly.

0 Karma

raomu
Explorer

1) pan:log
2)pan:traffic
3)pan:system
4)pan:threat

But, I none of my dashboard in Palo Alto gives any result.

Please suggest.

0 Karma

HiroshiSatoh
Champion

What is the result of the execution below?
Acceleration of the data model may be disabled.Please rebuild the acceleration of the data model.

| tstats summariesonly=t count FROM datamodel="pan_firewall"

| tstats summariesonly=f count FROM datamodel="pan_firewall"

0 Karma

raomu
Explorer

I ran this :

| tstats summariesonly=t count FROM datamodel="pan_firewall"

Result below :

Count
10898915

0 Karma

raomu
Explorer

Since I got the count, do you still think Acceleration of the data model might be disabled ?

Thanks for your time and suggestion.

0 Karma

HiroshiSatoh
Champion

If you can search with summariesonly = t, speeding up the data model is okay. What is the percentage of status? Also check that the update date of the update is not stopped.

0 Karma

raomu
Explorer

I checked under Data Model Audit and it shows status 100%

Also, It say logs Indexes for 24 hrs

Do you think we need to wait for sometime ?

0 Karma

raomu
Explorer

MODEL
Datasets
6 Events Edit
Permissions
Shared in App. Owned by nobody. Edit
ACCELERATION
Rebuild Update Edit
Status
100.00% Completed
Access Count
159. Last Access: 1/10/18 1:08:47.000 AM
Size on Disk
39.02MB
Summary Range
604800 second(s)
Buckets
3365
Updated
1/10/18 1:10:10.000 AM

0 Karma

raomu
Explorer

Let me know if you think we need to rebuild or what next ?

Once again thanks 🙂

0 Karma

HiroshiSatoh
Champion

Rebuilding is unnecessary. Is there a dashboard displayed on Palo's APP?
Which dashboard is not displayed?
What is the version of Palo, TA?

0 Karma

raomu
Explorer

We have all default dashboard which comes with Palo Alto App, but none of them populate any data. The version we have 6.x

0 Karma

HiroshiSatoh
Champion

Are the following results displayed?

eventtype=pan|stats count by sourcetype
0 Karma

raomu
Explorer

Yes. It shows 4 sourcetype with eventscount.

0 Karma

HiroshiSatoh
Champion

There seems to be no wrong setting.
Does not really display anything?

User Behavior>Traffic Events search sentence.

| tstats summariesonly=t latest(_time) AS _time, values(log.log_subtype) AS log.log_subtype, values(log.http_category) AS log.http_category, values(log.app:is_saas) AS log.app:is_saas, values(log.app:default_ports) AS log.app:default_ports, values(log.app) AS log.app, values(log.user) AS log.user, values(log.file_name) AS log.file_name, values(log.file_hash) AS log.file_hash, values(log.url) AS log.url, values(log.dest_name) AS log.dest_name, values(log.dest_port) AS log.dest_port, values(log.severity) AS log.severity, values(log.bytes_in) AS log.bytes_in, values(log.bytes_out) AS log.bytes_out count FROM datamodel="pan_firewall" WHERE (nodename="log.traffic" OR nodename="log.url" OR nodename="log.data")       """"   GROUPBY sourcetype log.serial_number log.session_id log.client_ip log.server_ip log.src_ip
      | rename log.* AS * |  search log_subtype="end" | stats count
0 Karma

raomu
Explorer

When clicked on user behavior tab it’ shows me values in 2 panels. 1) Rare Appliaction 2) traffic events

0 Karma

HiroshiSatoh
Champion

Please also try this.

| tstats summariesonly=t count FROM datamodel="pan_firewall" GROUPBY nodename
0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...