- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Splunk for Palo Alto Networks - PAN Overview
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Splunk for Palo Alto Networks - PAN Overview
I am using Splunk for Palo Alto Networks App version 3.0. When viewing the PAN overview I see:
0 PAN Reporting 0 Events 0 Block-URL N/A Top Category
I checked the pan_* sources and we are receiving data from 7 devices.
Has anyone seen this before and how do you correct the issue?
Regards,
Michael
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hello Michael,
in your input configuration please verify that your logs are going to the pan_logs index. you can check this by looking at the index field in the field discovery menu. if the index is 'main' or something else, you can check this by going to Manager - data inputs - your respective input ( UDP 514 is the default) - select the box that says More Settings - scroll down and chose the pan_logs index from the drop down.
if this doesn't fix it, please share the model number of your firewall, the os version and perhaps a sample log file. we have tested this app on PAN OS v5.
also, please share your inputs.conf file from $SPLUNK_HOME/etc/app/SplunkforPaloAltoNetworks/local/inputs.conf
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Monzy, we are finding that the problem is on one search head and one indexer. The second indexer shows the PAN overview dashboard. Our firewalls are PA 2050s and PA 5050s.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Quite simply, we know we are receiving data from our devices...it's now a parsing/processing issue with only the pan overview dashboard...data is filling in the other dashboards.
Thank you for your help!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Our architecture is 2 search heads 2 indexers and 1 heavy forwarder. The app is installed on the indexers the forwarder and 1 search head. There is no inputs.conf in the ../local/inputs.conf on any of the devices. There are indexes called pan_logs on both indexers but not on the search head or the heavy forwarder. These indexes are receiving data. On the search head there is a index for pan_logs but we disabled this. Any thoughts.
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
