This repository has been archived by the owner on Dec 14, 2024. It is now read-only.
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
{{ message }}
-
I recently configured my PA-410 to forward logs (threat,url,traffic,system,config) to my new splunk instance where I have installed both the PA Networks App and the PA Networks Add-on app as per - https://splunk.paloaltonetworks.com/firewalls-panorama.html
Using Splunk search I am able to see the logs coming in and getting parsed correctly. Example log:
Dec 29 22:53:11 PA-410 1,2021/12/29 22:53:11,023101001XXXX,TRAFFIC,end,2561,2021/12/29 22:53:11,192.168.0.2,4.2.2.1,73.73.161.201,4.2.2.1,Internet Outbound,,,dns,vsys1,LAN,WAN,ethernet1/2,ethernet1/1,LF-Splunk,2021/12/29 22:53:11,48450,1,57690,53,52930,53,0x400019,udp,allow,249,72,177,2,2021/12/29 22:52:40,0,any,,7047125035823356542,0x0,192.168.0.0-192.168.255.255,United States,,1,1,aged-out,0,0,0,0,,PA-410,from-policy,,,0,,0,,N/A,0,0,0,0,1361432c-2a9f-4e95-9639-b6303a037727,0,0,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,2021-12-29T22:53:11.505-06:00,,,infrastructure,networking,network-protocol,3,"used-by-malware,has-known-vulnerability,pervasive-use",,dns,no,no,0 host = 172.17.0.1source = udp:5155sourcetype = pan:traffic
The Web Activity dashboard onlyh shows a couple records (for file downloads) but all other traffic is missing.
I've gone through all of the troubleshooting here, including enabling acceleration - https://splunk.paloaltonetworks.com/troubleshoot.html But I can't seem to find out why my dashboards aren't populating. Any ideas?
FYI - I tried to manually edit the search of one of the web activity dashboards to ensure records are there. With the following search I get no records - | tstats values(log.flags) AS log.flags, count FROM datamodel=pan_firewall WHERE nodename="log.url" """" log.action="*" GROUPBY _time log.dest_name log.app:category log.app log.action log.content_type log.vendor_action
To troubleshoot, I started at the end and worked my way backwards. Once I removed "WHERE nodename="log.url"" then my results showed up. Not sure what that means now
Splunk Palo app version - 7.0.4 Splunk version - 8.2.4 PAN-OS version - 10.1.4
Beta Was this translation helpful? Give feedback.
All reactions