I'm currently collecting Palo Alto traffic via Syslog. I'm then shooting it up to a single indexer that has both the Palo Alto App & Add-On.
[monitor:palo_logs.log]
sourcetype = pan:log
source = syslog
host = x.x.x.x
disabled = false
interval = 600
While I can search through the data as though it were any other Splunk log, the Palo Alto APP & Add-On are not recognizing or transforming the data. Meaning I do not see any events or dashboards in those apps.
Also the sourcetype = pan:log in splunk. However the documentation specifies other source types:
Palo Alto Add-On Documentation
If someone can help me determine what I'm doing wrong, I would appreciate.
Thanks to validate:
Interesting. I'm currently using a universal forwarder to send data to Splunk. But you're saying that won't work. And that I have to use the heavy forwarder to forward and send the data properly. That way the transformations take place on the heavy forwarder and send it to your indexer.
I'll need to experiment.
Things to check: