All Apps and Add-ons

configuring data for splunk palo alto

remy06
Contributor

Theres no data shown in the app.

Do I configure the inputs.conf at /opt/splunk/etc/apps/SplunkforPaloAltoNetworks/local or /opt/splunk/etc/system/local ?

I'm currently taking in the logs already and sourcetype as syslog.

Here's my config for inputs.conf
[udp://5555]
connection_host = ip1|ip2
sourcetype = pan_log
no_appending_timestamp = true

Anything I've missed?

0 Karma

sC0rP1u5
Explorer

I might be a little late for an answer but I just came across this issue today because we just started setting up our PAs.

My solution was to modify the macros.conf file located here $SPLUNK_HOME/etc/apps/SplunkforPaloAltoNetworks/default/macros.conf.

The portion of the conf file I modified are below:

Base Macros
[pan_threat]
definition = index=indexname sourcetype="pan_threat" NOT "THREAT,url"

[pan_traffic]
definition = index=indexname sourcetype="pan_traffic"

[pan_system]
definition = index=indexname sourcetype="pan_system"

[pan_config]
definition = index=indexname sourcetype="pan_config"

[pan_web_activity]
definition = index=indexname sourcetype="pan_threat" "THREAT,url"

You'll notice that in your macros.conf file you won't have the index specified.

Hopefully this helps or at least helps others that come across this issue in the future.

jschelert
Engager

Adding the index=Indexname statement fixed my issue.

Thanks!

0 Karma

remy06
Contributor

I seem to be collecting some pan_system logs after place the config.However the host field isn't reflecting the actual pan device ip.How should I amend it?

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...