-
Notifications
You must be signed in to change notification settings - Fork 50
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Issues getting sourcetype=pan:* to produce data in query. #293
Comments
🎉 Thanks for opening your first issue here! Welcome to the community! |
Hello, The add-on should be installed everywhere except for Universal Forwarders. If you are using a Heavy forwarder then it needs to be installed there too. Where to install
|
Is this also the case for a Single Instance Splunk Environment? Also, could I configure this with just the Add-on installed on the Search head & Indexer, and not have the App installed on the Search head? |
Yes, that is correct only the TA is needed for parsing. I'm not sure I understand your question in regards to the single instance environment. |
@paulmnguyen Single-instance deployments Distributed deployments In a typical distributed deployment, each Splunk Enterprise instance performs a specialized task and resides on one of three processing tiers corresponding to the main processing functions: Data input tier |
@paulmnguyen What could be the issue? |
Try running a search fro pan:* but set the time to "All Time" |
Describe the bug
I am currently troubleshooting the Palo Alto Add-on in my Splunk Instance.
https://splunkbase.splunk.com/app/2757
I am having the issue of having it populate logs against my palo alto appliances in my environment whenever I query my network index and sourcetype=pan:firewall
Expected behavior
I would expect data to populate tailored to the sourcetype of "pan:firewall" or "pan:*"
Current behavior
Currently, the add-on is installed only on the search heads.
The PAN-OS appliances are sending syslog data to the syslog forwarder(s).
My Splunk environment is considered a Distrusted Instance Deployment.
The palo alto log data comes from a syslog forwarder over UDP/514.
Possible solution
Does the add-on also need to be installed on the indexer AND forwarder(s)?
Other configurations to take into account?
Screenshots
Query
Sourcetype Menu
pan:firewall view
The text was updated successfully, but these errors were encountered: