All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk for Palo Alto Networks: How do I troubleshoot this log parsing issue for PAN firewall?

binbing
New Member
‎06-28-2015 03:20 PM

Splunk receives the logs from PAN firewall and logs show up with index=pan_logs, but when I try index=pan_logs sourcetype=pan_config, no logs show up. Then I tried sourcetype=pan_logs instead of sourcetype=pan_config. Logs start showing up after that change, but according to the following message, the logs are not getting parsed correctly. 

Check that you are not using a Custom Log Format in the syslog server setting on the firewall.  " NO custom log in use"
Check that the inputs.conf file is configured with the line "no_appending_timestamp = true",  " yes, the line is in the inputs.conf"
No forwarder is in use.

Not sure how to resolve the parsing issue. PAN Firewall version is 6.2.0. Splunk for Palo Alto firewall is version 4.2.1

0 Karma
Reply

mbenwell
Communicator
‎06-29-2015 03:50 AM

What Splunk architecture do you have?

As sourcetype=pan_logs works, I suspect you might have simply incorrectly named the sourcetype incorrectly in inputs.conf. It should be 'sourcetype=pan_log' not 'sourcetype=pan_logs'. The app will rewrite sourcetype=pan_log to other sourcetypes based on data being sent in with a sourcetype of 'pan_log'.

If sourcetype=pan_logs happens to be a typo and the sourcetype is actually 'pan_log', then I suspect you have a distributed architecture. In a distributed architecture there are some processes (in particular the sourcetype renaming) which are performed by the indexers as data goes in. The main config you need is in the props.conf and transforms.conf files (should be here: $SPLUNK_HOME/etc/apps/SplunkforPaloAltoNetworks/default/). The configuration in these files is what rewrites the pan_log sourcetype to each respective sourcetype based on text in each log message.

Hope that helps

0 Karma
Reply
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...