Hi,
I recently installed Splunk (5.0.3 trial version) with Palo Alto Apps version 3.2.1. When I connect to the PA-200 (ver 5.0) and set up PA box to send syslog to Splunk, I cannot see any data showing on the Splunk. I used Wireshark to check there are a lot of syslog traffic that were sent from PA-200 to the laptop that Splunk runs on. In the manager->data inputs->udp->514 config, I have source type: pan_log, host: ip, index: pan_logs.
Is there any reason why I don't see syslog data on Splunk?
Btw,I also checked following: when I go to the search app -> status -> server activity -> spunkd acitivity overview I saw following errors:
07-20-2013 23:26:14.420 -0400 ERROR SearchResults - Unable to open output file: path=C:\Program Files\Splunk\etc\users\admin\search\history\HPSSPTLTP019.csv.tmp error=The process cannot access the file because it is being used by another process.
host=HPSSPTLTP019 Options|
sourcetype=splunkd Options|
source=C:\Program Files\Splunk\var\log\splunk\splunkd.log
07-20-2013 23:15:55.602 -0400 ERROR SearchResults - Failed to remove "C:\Program Files\Splunk\etc\users\admin\SplunkforPaloAltoNetworks\history\HPSSPTLTP019.csv.tmp2": The system cannot find the file specified.
host=HPSSPTLTP019 Options|
sourcetype=splunkd Options|
source=C:\Program Files\Splunk\var\log\splunk\splunkd.log Options
Could that be the problem? If so, how do I fix it?
Thanks!
Tina
hey Tina,
I think you have two different issues here. one is probably related to your splunk install and the other may be app related. lets focus on the app one for now.
what happens when you run this search by selecting All Time on the time selector ?
index=pan_logs | head 10
if you see results, ensure that the timestamps of the latest events are reasonably close to the current time in your timezone. the main dashboard is real-time. take a look at the other dashboards. are they empty too ? ensure that you select All Time in the time selector for those events.
if you dont' see logs as a result of this search and your dashboards are empty, ensure that the user you are logged in as, has access to the pan_logs index. you can confirm this by going to Manager, Access Controls, Roles,
can you paste your palo alto app's input stanza here please ?
monzy,
First by doing search as you instructed I got no event. then I changed the search indexes section and added pan_logs in the selected search indexes. Restarted the Splunk and still saw no event in the search result.
Tina