This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Splunk and Palo Alto Networks Integration in AWS: Log Data Discrepancies

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Splunk and Palo Alto Networks Integration in AWS: Log Data Discrepancies

miasmith500
L1 Bithead

‎08-22-2023 11:32 PM - last edited on ‎08-23-2023 01:23 AM by

Hello,

 

Recently, in our organization, we undertook the task of integrating Splunk with our existing Palo Alto Networks infrastructure within our AWS environment. The integration process was fairly smooth, and we were eager to begin monitoring and analyzing our network logs using Splunk's capabilities.

However, as we started to deep dive into the log data, we noticed certain discrepancies. Some log entries, when visualized in Splunk, appear differently than when they're viewed directly in the PAN-OS console. This has raised concerns about the accuracy and consistency of the data we're analyzing.

I wanted to reach out and see if anyone in this community has faced a similar issue. Specifically:

Have you observed any discrepancies in log data between the PAN-OS  and Splunk  console in your integrations?
If so, what measures did you take to address or troubleshoot the problem?

 

Thanks in advance!

Regards
Mia Smith
0 Likes Likes
2 REPLIES 2

uthhab2
L0 Member

‎08-24-2023 12:01 AM

Yes, discrepancies between log data in Palo Alto Networks (PAN-OS) and Splunk integrations can occur due to parsing, timestamps, and data processing differences. Verify data integrity and consistent log generation. Review parsing and indexing settings in Splunk to match log format. Ensure timestamp consistency and timezones. Manually compare raw log entries in both systems. Consult documentation, support, and experts if discrepancies persist.

0 Likes Likes

uthhab2
L0 Member

‎08-24-2023 09:30 PM - edited ‎08-24-2023 09:31 PM

Check the parsing and indexing configuration in Splunk. Splunk uses regular expressions and configurations to extract and index data. Ensure that your Splunk configuration aligns with the log format used by Palo Alto Networks devices. Misconfigured or incomplete parsing rules could lead to discrepancies. Timestamps are crucial for accurate log analysis. Ensure that the timestamps in your log data are correctly parsed and indexed in Splunk. If the timestamps are mismatched or not aligned properly, it can lead to discrepancies between the PAN-OS console and Splunk.

 

 

 

 

 

 

PaybyPlateMa Invoice

0 Likes Likes
  • 1161 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks