Issues getting sourcetype=pan:* to produce data in query.

Question

Issues getting sourcetype=pan:* to produce data in query.

lamonica-a opened this issue a year ago · 7 comments

Describe the bug

I am currently troubleshooting the Palo Alto Add-on in my Splunk Instance.
https://splunkbase.splunk.com/app/2757

I am having the issue of having it populate logs against my palo alto appliances in my environment whenever I query my network index and sourcetype=pan:firewall

Expected behavior

I would expect data to populate tailored to the sourcetype of "pan:firewall" or "pan:*"

Current behavior

Currently, the add-on is installed only on the search heads.
The PAN-OS appliances are sending syslog data to the syslog forwarder(s).

My Splunk environment is considered a Distrusted Instance Deployment.
The palo alto log data comes from a syslog forwarder over UDP/514.

Possible solution

Does the add-on also need to be installed on the indexer AND forwarder(s)?
Other configurations to take into account?

Screenshots

Query

Sourcetype Menu

pan:firewall view

Answer 1 · 2023-05-01T17:07:56.000Z

🎉 Thanks for opening your first issue here! Welcome to the community!

Answer 2 · 2023-05-01T18:02:30.000Z

Hello,

The add-on should be installed everywhere except for Universal Forwarders. If you are using a Heavy forwarder then it needs to be installed there too.

Where to install

Splunk Node	What to install
Search Head	Add-on and App
Indexer	Add-on only
Heavy Forwarder	Add-on only
Universal Forwarder	None

https://splunk.paloaltonetworks.com/installation.html

Answer 3 · 2023-05-01T18:16:39.000Z

@paulmnguyen

Is this also the case for a Single Instance Splunk Environment?

Also, could I configure this with just the Add-on installed on the Search head & Indexer, and not have the App installed on the Search head?

Answer 4 · 2023-05-01T21:32:58.000Z

Yes, that is correct only the TA is needed for parsing. I'm not sure I understand your question in regards to the single instance environment.

Answer 5 · 2023-05-02T11:00:56.000Z

@paulmnguyen
https://docs.splunk.com/Documentation/Splunk/9.0.4/Overview/AboutSplunkEnterprisedeployments

Single-instance deployments
In small deployments, one instance of Splunk Enterprise handles all aspects of processing data, from input through indexing to search. A single-instance deployment can be useful for testing and evaluation purposes and might serve the needs of department-sized environments.

Distributed deployments
To support larger environments where data originates on many machines, where you need to process large volumes of data, or where many users need to search the data, you can scale the deployment by distributing Splunk Enterprise instances across multiple machines. This is known as a "distributed deployment".

In a typical distributed deployment, each Splunk Enterprise instance performs a specialized task and resides on one of three processing tiers corresponding to the main processing functions:

Data input tier
Indexer tier
Search management tier

Answer 6 · 2023-05-02T11:18:41.000Z

@paulmnguyen
Also, my SA confirmed that the Add-on is on all indexers located in “Slave Apps”, and are installed on the search heads per the instructions for the Add-on.

What could be the issue?

Answer 7 · 2023-06-05T15:27:09.000Z

Try running a search fro pan:* but set the time to "All Time"