Palo Alto data not showing up

zfarling · ‎08-09-2013

Running Splunk on RHEL x64 with the latest version of the Palo Alto app. On the over view screen I can see 1 pan reporting and events showing up nothing in the block-url and N/A on the top category everything else is blank. When i do a search for index I only get "pan_logs" and the only source type is "pan_log"

My inputs.conf is as follows:

[udp://512]

index= pan_logs

connection_host= ip

sourcetype= pan_log

#no_appending_timestamp = true

If i do

no_appending_timestamp = true

nothing will show up on the overview paged everything is 0.

My macros.conf hasn't been changed

Any help would be nice.

franks59 · ‎03-11-2014

I am having exactly the same problem. I am receiving data ok and it is being parsed. However no tsindex files are being created and I believe all the views depend on them.

btorresgil · ‎08-09-2013

Hi zfarling,

It is normal to have the index be "pan_logs" and the sourcetype "pan_log". And based on the fact that on the Overview screen the "PAN Reporting" and "Events" counts are not zero, it sounds like you are receiving something from your firewall. But you should be able to search the data. A few things to check...

It looks like you're using UDP 512 according to the inputs.conf in the question. UDP 514 is the default for the firewall, so just make sure the firewall is set to use UDP 512 also, to match your inputs.conf.
Click 'Search' in the menu bar, set the time range to "All time", and use one of the available macros, like...

`pan_index`

Those are back-ticks surrounding the macro, not apostrophes. You should get at least one event to come up with this search.

From the linux command line, try a tcpdump on UDP 512 to verify you're receiving the syslogs.
On the firewall, check what log types you are sending to Splunk in your Log Forwarding Profile. Try sending all types of traffic and threat logs.
On the firewall, apply a URL filtering profile, file blocking profile, etc that are set to 'alert'. This will make the firewall report any URL's, or files it sees in the traffic.
Ensure the Log Forwarding Profile is applied to the same security rules as the URL filtering profile, file blocking profile, etc. This makes any alerts from these profiles forward to Splunk.

zfarling · ‎08-12-2013

I did like you said and did a search for pan_traffic and nothing showed up. The version of the Palo Alto app that I am showing under Apps is 3.3.1. On the Pan I am using the default settings for the syslogs and I have it set to send everything to Splunk.

btorresgil · ‎08-09-2013

The app gets all logs as sourcetype=pan_log, then parses them into their respective sourcetype like sourcetype=pan_traffic. Try one of the macros like:

`pan_traffic`

Do you see anything there? If not, then it might be having trouble parsing the logs. Check on the firewall that you're using default CSV format for syslogs so the app can parse them.

Also, it concerns me that the dashboard inspect button came up with "index=pan_logs sourcetype="pan_traffic"" because the latest versions use "tstats" instead. Are you sure you're on the latest version fo the app? (currently version 3.3.1).

zfarling · ‎08-09-2013

Thank you that worked I can see the data in the search. Now when I go to look at the traffic logs it is giving me "no matching events found. inspect..."

the inspect file shows index=pan_logs sourcetype="pan_traffic"

I did a search for pan_traffic, pan_threat, pan_system, pan_config and nothing will show up.

Palo Alto data not showing up

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life