PaloAltoNetworks / Splunk-Apps

Palo Alto Networks App for Splunk leverages the data visibility provided by Palo Alto Networks next-generation firewalls and endpoint security with Splunk's extensive investigation and visualization capabilities to deliver an advanced security reporting and analysis tool.
https://pan.dev/splunk/docs/
ISC License
106 stars 48 forks source link

Issues getting sourcetype=pan:* to produce data in query. #293

Open lamonica-a opened 1 year ago

lamonica-a commented 1 year ago

Describe the bug

I am currently troubleshooting the Palo Alto Add-on in my Splunk Instance. https://splunkbase.splunk.com/app/2757

I am having the issue of having it populate logs against my palo alto appliances in my environment whenever I query my network index and sourcetype=pan:firewall

Expected behavior

I would expect data to populate tailored to the sourcetype of "pan:firewall" or "pan:*"

Current behavior

Currently, the add-on is installed only on the search heads. The PAN-OS appliances are sending syslog data to the syslog forwarder(s).

My Splunk environment is considered a Distrusted Instance Deployment. The palo alto log data comes from a syslog forwarder over UDP/514.

Possible solution

Does the add-on also need to be installed on the indexer AND forwarder(s)? Other configurations to take into account?

Screenshots

Query image

Sourcetype Menu image

pan:firewall view image

welcome-to-palo-alto-networks[bot] commented 1 year ago

:tada: Thanks for opening your first issue here! Welcome to the community!

paulmnguyen commented 1 year ago

Hello,

The add-on should be installed everywhere except for Universal Forwarders. If you are using a Heavy forwarder then it needs to be installed there too.

Where to install

Splunk Node What to install
Search Head Add-on and App
Indexer Add-on only
Heavy Forwarder Add-on only
Universal Forwarder None

https://splunk.paloaltonetworks.com/installation.html

lamonica-a commented 1 year ago

@paulmnguyen

Is this also the case for a Single Instance Splunk Environment?

Also, could I configure this with just the Add-on installed on the Search head & Indexer, and not have the App installed on the Search head?

paulmnguyen commented 1 year ago

Yes, that is correct only the TA is needed for parsing. I'm not sure I understand your question in regards to the single instance environment.

lamonica-a commented 1 year ago

@paulmnguyen https://docs.splunk.com/Documentation/Splunk/9.0.4/Overview/AboutSplunkEnterprisedeployments

Single-instance deployments In small deployments, one instance of Splunk Enterprise handles all aspects of processing data, from input through indexing to search. A single-instance deployment can be useful for testing and evaluation purposes and might serve the needs of department-sized environments.

Distributed deployments To support larger environments where data originates on many machines, where you need to process large volumes of data, or where many users need to search the data, you can scale the deployment by distributing Splunk Enterprise instances across multiple machines. This is known as a "distributed deployment".

In a typical distributed deployment, each Splunk Enterprise instance performs a specialized task and resides on one of three processing tiers corresponding to the main processing functions:

Data input tier Indexer tier Search management tier

lamonica-a commented 1 year ago

@paulmnguyen Also, my SA confirmed that the Add-on is on all indexers located in “Slave Apps”, and are installed on the search heads per the instructions for the Add-on.

What could be the issue?

paulmnguyen commented 1 year ago

Try running a search fro pan:* but set the time to "All Time"