Splunk Enterprise Security

Palo Alto Networks App & Add-on Setup

cody_richardson
Path Finder

Hello all,

I am trying to get logs from Panorama into Splunk to analyze with the Palo Alto Networks App and Add-ons, and am hoping for some pointers in this process.

I am using one Search Head with Enterprise Security installed, and a separate server for the Indexer. Unfortunately all guides I've found assume both of these functions are present on the same server. The App is installed on the Search Head, and the Add-on is installed on the Indexer (per recommendation on this guide: https://splunk.paloaltonetworks.com/getting-data-in.html).

At this point I have two initial questions:

1) How can I ensure logs are sent to the Indexer and stored in the desired location?

2) Once logs are successfully sent to the Indexer, how will the App view data stored on the Indexer?

Thank you.

0 Karma
1 Solution

cody_richardson
Path Finder

Hi harsmarvania57,

After changing my search parameter to "All Time" under Presets, some of the other Dashboards have started showing data (though not all). I don't know why this is the case.

For right now, I'm content with this, despite the fact that I can't send logs directly from the Panorama. I will need to continue troubleshooting this to get logs to be accepted by the Indexers when not coming from our syslog server.

Thank you for all your help with this and providing the information that you did.

View solution in original post

0 Karma

cody_richardson
Path Finder

Hi harsmarvania57,

After changing my search parameter to "All Time" under Presets, some of the other Dashboards have started showing data (though not all). I don't know why this is the case.

For right now, I'm content with this, despite the fact that I can't send logs directly from the Panorama. I will need to continue troubleshooting this to get logs to be accepted by the Indexers when not coming from our syslog server.

Thank you for all your help with this and providing the information that you did.

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

Hi,

If you will refer https://splunk.paloaltonetworks.com/installation.html, you will easily identify that where you need to install App and Add-on.

And to onboard the data from Palo Alto Panorama to Indexer, please follow this document https://splunk.paloaltonetworks.com/firewalls-panorama-and-traps.html. I prefer syslog path because there will be very less chance of data loss, if you will send Firewall logs directly to Indexer then there will be data loss when you'll restart splunk service on Indexer.

0 Karma

cody_richardson
Path Finder

Looking under Operations -> Realtime Event Feed, I am actually seeing new data being fed in. Just no other dashboard appears to be working. I did enable Datamodel Acceleration.

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

Wait for few minutes, because DataModel acceleration takes time based on number of events you have and backfill period you selected.

0 Karma

cody_richardson
Path Finder

Still no luck unfortunately. Only the real-time dashboard is displaying data.

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

Is Datamodel Acceleration completed 100% ? And logs are properly ingesting with correct sourcetype ?

0 Karma

cody_richardson
Path Finder

Hello harsmarvania57,

I've been unable to get traffic directly from Panorama to the Splunk Indexer. I've pointed the Panorama syslogs back to the syslog server, and the Indexer is now receiving traffic.

I am back to troubleshooting the fact that the Realtime Event Feed displays data, but no other Dashboard does. I've read through the recommendations at https://splunk.paloaltonetworks.com/troubleshoot.html, and verified the following:

-Datamodel is fully built. All Palo Alto datamodels are at 100%.
-Acceleration is enabled.

Any further ideas?

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

If you are using version 6.0 Palo Alto add-on on Indexer/Heavy Forwarder then what sourcetype are you assigning on syslog server while reading log file , is it pan:log ?

Troubleshooting guide (https://splunk.paloaltonetworks.com/troubleshoot.html) they have provided is very good, if you go step by step then you will easily identify the issue.

0 Karma

cody_richardson
Path Finder

Yes, I've just confirmed this looking at the inputs.conf file.

I've also confirmed that Splunk is successfully parsing this data into the correct subtypes (e.g. pan:firewall) based on searches performed in the Search & Reporting app.

0 Karma

cody_richardson
Path Finder

Quick update:

As we've been discussing this, Panorama has been sending the syslog information to a syslog server, and that syslog server has a forwarder on it sending the traffic to the Splunk Indexer.

I've removed this configuration and created a new configuration forwarding logs directly from Panorama to the Splunk Indexer. After doing this, the Real-Time feed in the app is no longer displaying information, and I cannot search for new data in the Search & Reporting App. This tells me that there must be something wrong with the new configuration.

I'd like to correct this configuration before moving forward, as this is a fresh configuration that I'll be familiar with. I'm hopeful that once I can get data to be ingested properly with this configuration, data will be displayed on the remaining dashboards.

I will take some time to do this then provide an update here. Thank you for your help so far!

0 Karma

cody_richardson
Path Finder

Okay, thank you. I will wait a few more minutes to see if the dashboards generate results.

A related question -- on the Palo Alto Network Add-on on the Indexer under the Configuration tab...what account are they asking for?

0 Karma

cody_richardson
Path Finder

Hi harsmarvania57, thanks for the reply.

I was able to get traffic from Panorama into the Splunk Indexer (I see traffic using the Search & Reporting App), but the data still isn't appearing in the Palo Alto Networks App.

Any idea why?

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

Palo Alto Networks app has many dashboards with many panels and while looking at those they depend on Datamodel, so first check whether Palo Alto Datamodel (I guess they provide 3 Datamodel) acceleration completed 100% ?

0 Karma

cody_richardson
Path Finder

Unfortunately I'm not able to get any of the Dashboards to display data -- Web Activity, User Behavior, etc. Again, despite being able to see the raw data in the Search & Reporting App.

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

Goto Palo Alto Networks app then Settings -> Data Models

And check Status of below 3 Data Models (To check the status of Datamodel click on > left to Datamodel )

1.) Palo Alto Networks Aperture Logs
2.) Palo Alto Networks Endpoint Logs
3.) Palo Alto Networks Firewall Logs

Are these datamodel showing status 100% ? If yes then what is the Size on Disk ?

0 Karma

cody_richardson
Path Finder

Hi harsmarvania57,

I see various Palo Alto Networks Logs, but no indication of status. They seem to be built out though with various sourcetypes defined.

Size on disk is several TB with a small percentage being used. Diskspace should be no issue.

If the Search & Reporting app is able to find the logs from the Panorama, shouldn't the App be able to? Or is there a separate configuration page for the App for it to find the data?

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

As per steps I have provided in my previous comment you need to check Datamodel acceleration on Search Head (In Palo Alto Networks App).

0 Karma

cody_richardson
Path Finder

They are not accelerated. What would enabling this within the context of the Palo Alto app do?

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

Many dashboards are depend on Palo Alto Datamodel Accelerations, if you will not able it then many dashboards will not populate in Palo Alto Networks app.

0 Karma

cody_richardson
Path Finder

And I would do this on the Search Head not the Indexer?

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...