Splunk for Palo Alto Networks is a security reporting and analysis tool, and is the result of a collaboration between Palo Alto Networks and Splunk. This document describes how to configure Splunk for Palo Alto Networks, and covers most problems in configuring Splunk for the first time.
Note: Download Splunk for Palo Alto Networks directly from the Splunk site at: http://apps.splunk.com/app/491/. Depending on the OS of the server that's running Splunk, follow the installation recommendations from the Splunk website.
If there are separate indexers and search head, install the application on all of them.
The Palo Alto Networks Next-generation Firewall uses udp/514 for syslog by default, but since this port is often used by other syslogs, we'll use udp/5514 in our examples. Choose any desired port. TCP and SSL syslogs are available in PAN-OS 6.0 and later.
Check the settings in the Splunk inputs.conf file and verify that no other configuration is using the UDP or TCP port you chose for syslogs from the firewall. Check the inputs.conf in the following directories:
Note: See the "Configuration file precedence" section in the Splunk Enterprise Admin Manual for more on the way precedences are checked on Splunk.
After configuring the data input, access and configure the app.
The first time running the app from the WebUI, a setup screen displays. You need the credentials only if you want to use the custom commands pantag, panblock, and panupdate. The WildFire API is required only for WildFire subscribers who want Splunk to index WildFire analysis reports from the cloud when a malware sample is analyzed. These credentials are stored in Splunk using encryption the same way other Splunk credentials are stored.
If you don't want to use these extra features, skip the setup screen by clicking Save.
Note: After logging into the WildFire Portal for WildFire subscribers, access the WildFire API key under the account. Copy and paste the key into the WildFire API Key (see example).
After completing setup on the Splunk site, set up the Palo Alto Networks device to send syslogs to Splunk.
The easiest way to test that everything is working is to configure the firewall to syslog all config events. Go to Device > Log Settings > Config and commit. Make any configuration change and the firewall produces a config event syslog. You don't have to commit the change for the syslog to be produced--any uncommitted change to the configuration produces a log. You can verify the log reached Splunk by going to the Splunk for Palo Alto Networks app, click Search in the navigation bar, and enter:
If Splunk is getting the syslogs from the firewall and parsing them correctly, then you'll see the config event syslogs show up here from the changes you made on the firewall configuration.
Use the method described in Test the configuration to produce some syslogs. Verify the logs are reaching the Splunk server by navigating to the Splunk for Palo Alto Networks app, click Search in the navigation bar, then enter:
If no logs show up, then the logs are not getting indexed correctly. Use these steps to find the problem:
Use the method described above in the section Test the configuration to produce some syslogs. Verify the logs are reaching the Splunk server by navigating to the Splunk for Palo Alto Networks app, click 'Search' in the navigation bar, and enter the following search:
If logs showed in step 2, but no logs show up now, then try sourcetype=pan_logs instead of sourcetype=pan_config. If the logs start showing up after that change, then the logs are not getting parsed correctly:
Check that the dashboards are populating with data. The Overview dashboard doesn't use acceleration, so it should work at this point. If it doesn't show data, then go back to troubleshooting. For all the other dashboards, after 5-8 minutes of syslogging to the Splunk server, the dashboards should populate with data. If the dashboards are populating, then acceleration and summary indexing are working. If not, check the following:
App Version 4.0 and earlier:
Uses TSIDX for acceleration.
App Version 4.1 and later:
Uses Data Model for acceleration.