Palo Alto Networks and Splunk have partnered to deliver an advanced security reporting and analysis tool. The collaboration delivers operational reporting as well as simplified and configurable dashboard views across Palo Alto Networks family of next-generation firewalls.
Splunk for Palo Alto Networks leverages the data visibility provided by Palo Alto Networks's firewalls with Splunk's extensive investigation and visualization capabilities to deliver an advanced security reporting and analysis tool. This app enables security analysts, administrators, and architects to correlate application and user activities across all network and security infrastructures from a real-time and historical perspective. Complicated incident analysis that previously consumed days of manual and error-prone data mining can now be completed in a fraction of the time, saving not only manpower but also enabling key enterprise security resources to focus on critical, time-sensitive investigations.
Splunk 6.x -- Palo Alto Networks App 4.x
Splunk 5.x -- Palo Alto Networks App 3.x
Configuration and Troubleshooting guide:
Further documentation can be found at:
For fastest response to support, setup, help or feedback,
please click the Ask a Question button at http://apps.splunk.com/app/491
For bugs or feature requests, you can also open an issue on github at
Quick Start Guide
Install the app:
- Unpack the tar ball into
- Restart Splunk
Note: If upgrading from a previous version, please read the Upgrade Notes below.
Setup Screen and Custom Commands
The first time you run the app from the web ui, you will be presented with a setup screen. The credentials are only needed if you wish to use the
panupdate custom commands. The WildFire API is only needed if you are a WildFire subscriber and want Splunk to index WildFire analysis reports from the cloud when a malware sample is analyzed. These credentials will be stored in Splunk using encryption the same way other Splunk credentials are stored.
If you do not wish to use these extra features, you can enter garbage values.
To get the firewall data into Splunk
IMPORTANT: When you configure the input port, you must set the sourcetype of the firewall data to pan_log and the index to pan_logs. This can be done from the Web UI or the CLI. Then, configure the firewall to set traffic to Splunk.
From the Splunk Web UI
- Navigate to Manager -> Data Inputs -> UDP -> New
- Set the UDP port (Palo Alto Networks firewalls default to port 514)
- Set sourcetype: From list
- Select source type From list: pan_log
- Click on More settings
- Index: pan_logs
From the CLI via inputs.conf
Example: (Palo Alto Networks firewalls default to udp port 514)
[udp://514] index= pan_logs connection_host = ip sourcetype = pan_log no_appending_timestamp = true
Configure the Firewall
On the Palo Alto Networks firewall or Panorama management center, create a Log Forwarding object to send desired syslogs to the Splunk Server. Refer to the Palo Alto Networks documentation for details on log forwarding. https://live.paloaltonetworks.com/community/documentation
Note: It can take up to 5 minutes for new data to show up in the dashboards. Palo Alto Networks devices have a variety of different logs including traffic, threat, url filtering, malware, etc. This app works with the all the default log types. Customized log types may not work, if they are not defined in the Palo Alto Networks syslog configuration documentation (PANOS-Syslog-Integration-TN-RevM).
Starting in version 4.1 of this app, all of the dashboards use the Splunk 6 Datamodel feature, which allows for pivot of Palo Alto Networks data and better control and acceleration of summary indexes used by the dashboards. This replaces the TSIDX feature from Splunk 5.
If you are upgrading the app from a pre-4.1 version to 4.1 or higher, then you may delete the TSIDX files that were generated by the previous version of the app. To delete the TSIDX files, look under $SPLUNK_HOME$/var/lib/splunk/tsidxstats/ and remove any directories that start with
pan_. There could be up to 10 directories.
After upgrade to 4.1 or higher, Splunk will backfill the datamodel with historic data up to 1 year old. It may take some time for historic data to show up in the dashboards, but it will be available in the pivot interface and search immediately. The time range for historic data to be available in the dashboards can be adjusted in the datamodel accelerations settings.
If you have customized the built-in dashboards of a previous app version, then they will no longer work because the customized dashboards will still use TSIDX. Remove your custom dashboards from the
local directory of the app to use the new datamodel-based dashboards. You can add your customizations to the new dashboards.
Installing from Git
git clone https://github.com/PaloAltoNetworks-BD/SplunkforPaloAltoNetworks.git SplunkforPaloAltoNetworks