Splunk 6.x -- Palo Alto Networks App 4.x
Splunk 5.x -- Palo Alto Networks App 3.x
Configuration and Troubleshooting guide:
https://live.paloaltonetworks.com/docs/DOC-6593
Further documentation can be found at:
https://github.com/PaloAltoNetworks-BD/SplunkforPaloAltoNetworks/wiki
For fastest response to support, setup, help or feedback,
please click the Ask a Question button at http://apps.splunk.com/app/491
For bugs or feature requests, you can also open an issue on github at
https://github.com/PaloAltoNetworks-BD/SplunkforPaloAltoNetworks/issues
Install the app:
$SPLUNK_HOME/etc/appsNote: If upgrading from a previous version, please read the Upgrade Notes below.
The first time you run the app from the web ui, you will be presented with a setup screen. The credentials are only needed if you wish to use the pantag, panblock, panupdate custom commands. The WildFire API is only needed if you are a WildFire subscriber and want Splunk to index WildFire analysis reports from the cloud when a malware sample is analyzed. These credentials will be stored in Splunk using encryption the same way other Splunk credentials are stored.
If you do not wish to use these extra features, you can enter garbage values.
IMPORTANT: When you configure the input port, you must set the sourcetype of the firewall data to pan_log and the index to pan_logs. This can be done from the Web UI or the CLI. Then, configure the firewall to set traffic to Splunk.
For details: http://www.splunk.com/base/Documentation/latest/admin/MonitorNetworkPorts
$SPLUNK_HOME/etc/apps/SplunkforPaloAltoNetworks/local/inputs.conf Example: (Palo Alto Networks firewalls default to udp port 514)
[udp://514]
index= pan_logs
connection_host = ip
sourcetype = pan_log
no_appending_timestamp = true
On the Palo Alto Networks firewall or Panorama management center, create a Log Forwarding object to send desired syslogs to the Splunk Server. Refer to the Palo Alto Networks documentation for details on log forwarding. https://live.paloaltonetworks.com/community/documentation
Note: It can take up to 5 minutes for new data to show up in the dashboards. Palo Alto Networks devices have a variety of different logs including traffic, threat, url filtering, malware, etc. This app works with the all the default log types. Customized log types may not work, if they are not defined in the Palo Alto Networks syslog configuration documentation (PANOS-Syslog-Integration-TN-RevM).
Starting in version 4.1 of this app, all of the dashboards use the Splunk 6 Datamodel feature, which allows for pivot of Palo Alto Networks data and better control and acceleration of summary indexes used by the dashboards. This replaces the TSIDX feature from Splunk 5.
If you are upgrading the app from a pre-4.1 version to 4.1 or higher, then you may delete the TSIDX files that were generated by the previous version of the app. To delete the TSIDX files, look under $SPLUNK_HOME$/var/lib/splunk/tsidxstats/ and remove any directories that start with pan_. There could be up to 10 directories.
After upgrade to 4.1 or higher, Splunk will backfill the datamodel with historic data up to 1 year old. It may take some time for historic data to show up in the dashboards, but it will be available in the pivot interface and search immediately. The time range for historic data to be available in the dashboards can be adjusted in the datamodel accelerations settings.
If you have customized the built-in dashboards of a previous app version, then they will no longer work because the customized dashboards will still use TSIDX. Remove your custom dashboards from the local directory of the app to use the new datamodel-based dashboards. You can add your customizations to the new dashboards.
This app is available on Splunk Apps and Github. Optionally, you can clone the github repository to install the app.
From the directory $SPLUNK_HOME/etc/apps/, type the following command:
git clone https://github.com/PaloAltoNetworks-BD/SplunkforPaloAltoNetworks.git SplunkforPaloAltoNetworks
Version 4.2
Note: changes to datamodel in this version may require the acceleration index to be rebuilt before data will show up in the dashboards
Version 4.1.1
Version 4.1
If upgrading from a previous version, please read the Upgrade Notes in the documentation.
pantag - tag IP addresses on the firewall into Dynamic Address GroupsVersion 4.0.1
Version 4.0
Version 4.0
Download a 30-day free trial of NetFlow Integrator at https://www.netflowlogic.com/downloads
Steps to configure NetFlow are available in the NetFlow section of the app documentation.
Version 3.3.2
Version 3.3.1
Version 3.3
And features from version 3.3
- Malware analysis reports from the WildFire Cloud are dynamically downloaded and indexed when a WildFire log is received from a firewall.
- WildFire dashboard
- Recent WildFire events
- Graphs of WildFire statistical data
- Detect compromised hosts using malware behavior to traffic log correlation
Note: Malware analysis report retrieval requires a WildFire API Key from https://wildfire.paloaltonetworks.com
Note: Malware analysis report retrieval requires a WildFire API Key from https://wildfire.paloaltonetworks.com
Bug Fixes:
savedsearches.conf: changed hard coded index=pan_logs to pan_index in scheduled searches. Thanks to Genti Zaimi for finding the issue and providing the fix
pan_overview_switcher_maps.xml: modified geoip search to include localop to force the search to run on the searchhead. Thanks to Genti Zaimi for identifying the problem and providing the fix
Major improvements on drilldowns in charts - Greets to Joel Bennett
Added a setup.xml Palo Alto device credentials.
Bug Fix: panupdate custom command; removed hardcoded IP for panorama. Greets to Jeff Hillon and Palo Alto Networks teams for identifying this issue and helping to test the fix.
Known Issues
Completely redone searches for views and dashboards
Significant performance improvements for dashboards and views
A new Threat Detail Dashboard
Threat Overview fields auto-update filter and auto-redirect to Threat Detail
Custom Command to add/remove host/address objects from the PAN firewall
Removed summary indexing
Overview page runs on base index
Pan Log sourcetype now visible in web ui for adding new inputs
Added new app icon
Remove submit button from web usage report page
Main landing page runs on pan_index macro
Fixed: Web dashboard doesn't render
Fixed: pan_traffic macro doesn't produce results
Fixed: TRANSFORM- to TRANSFORMS- in props.conf
Fixed: Ingress/Egress interface labeling errors
Fixed: Sometimes the main dashboard's single value font matches background
Request: Make app installable via the web ui
Request: Change macros definitions to include base index other than pan_logs
Request: Allow for custom index to be inherited automatically. works on all view except for landing page
Request: Disable summary indexing
Request: Add a README file to the app
App is now CIM compliant. Many thanks to Jim Hansen for this effort.
Updated timestamp extraction. Updated Sourcetyping to accommodate PA-2050 threat events (thanks to Andy Stovall for highlighting this.)
FIXED: dangling MAX_TIMESTAMP_LOOKAHEAD in props.conf; causing app conflict (Thanks to Tat-Wee Kan for bringing this up)
FIXED: traffic search in traffic_overview dashboard to include 'Action' as a parameter
Added: default indexes.conf
Removed Inputs.conf from local
Added Screenhot.jpg
Updated REAME instructions for adding inputs
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps from Splunk, our partners and our community. Find an app for most any data source and user need, or simply create your own with help from our developer portal.