All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Palo Alto logs + Syslog not showing up Palo Alto Add-On

tentontitan
New Member
‎03-19-2018 05:42 PM

I'm currently collecting Palo Alto traffic via Syslog. I'm then shooting it up to a single indexer that has both the Palo Alto App & Add-On.

[monitor:palo_logs.log]
sourcetype = pan:log
source = syslog
host = x.x.x.x
disabled = false
interval = 600

While I can search through the data as though it were any other Splunk log, the Palo Alto APP & Add-On are not recognizing or transforming the data. Meaning I do not see any events or dashboards in those apps.

Also the sourcetype = pan:log in splunk. However the documentation specifies other source types:

Palo Alto Add-On Documentation

If someone can help me determine what I'm doing wrong, I would appreciate.

0 Karma
Reply

Eric_Mcknight
Explorer
‎03-21-2018 09:39 AM

Thanks to validate:

  1. Make sure the add-on is installed on your forwarder.
  2. Me personally, i install the app and add-on on my HEAVY forwarder syslog server, and don't install it on my indexers. Actually reduces indexer load by quite a bit.
  3. Make sure the app and add-on are installed on your search head.
0 Karma
Reply

tentontitan
New Member
‎03-21-2018 10:41 AM

Interesting. I'm currently using a universal forwarder to send data to Splunk. But you're saying that won't work. And that I have to use the heavy forwarder to forward and send the data properly. That way the transformations take place on the heavy forwarder and send it to your indexer.

I'll need to experiment.

0 Karma
Reply

Eric_Mcknight
Explorer
‎03-21-2018 09:37 AM

Things to check:

  1. Configuration looks just fine.
  2. Make sure the add-on is installed on your forwarder.
  3. Make sure the APP and Add-on are installed on your search heads.
0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...