Here's what I have in the \Splunk_TA_paloalto\local inputs.conf:
[udp://514]
sourcetype = pan:log
no_appending_timestamp = true
Here's what I have in our syslog monitoring folder\local\inputs.conf:
[monitor://{REDACTED}\palo_alto\pa_traps**.log]
sourcetype = pan:log
index = pan_logs
host_segment = 7
There is no change to whether I have the "index" field of the syslog folder commented out or not. Previously on the syslog monitoring input, I had a sourcetype = pan_endpoint and when I would do a search in splunk, the logs would come in as pan_endpoint, however the Endpoints tab in the PAN App would not populate data. With the sourcetype = pan_endpoint I could use the PAN App, Endpoint - Searches & Reports - Search Endpoint Log Data and pan_endpoint would appear in the search field and logs would show up. That was how I "knew" to put in the syslog setting a sourcetype = pan_endpoint.
So in either scenario: using what the PA configuration documentation says OR putting pan_endpoint via the syslog input, none of the graphs/charts populate endpoint data. Further, if I comment out the "sourcetype = pan:log" in the syslog inputs.conf, the entire PAN app and all dashboards are rendered useless.
Thanks for the help!
... View more