Good afternoon,

We are currently sending all of our Palo Alto syslogs to a syslog server that collects multiple machines syslogs and forwards them via a universal forwarder to our splunk instance.

We filtered out all logs tagged with the palo alto device name and set the sourcetype to pan_log

heres the piece of our inputs.conf broken out for the palo alto logs from our syslog server /prod/splunkforwarder/etc/apps/syslog/default/inputs.conf [monitor:///prod/remotesyslog/logs/paloalto/] blacklist=.gz$ disabled=false sourcetype=pan_log host_segment=4 index=syslog

The index=syslog is the generic index name we use for all syslogs rather than 'main' or 'default' etc.

we also made an update to the macros.conf on the application side via our search head and included the index name under : opt/splunk/etc/apps/SplunkforPaloAltoNetworks/default#

Base Macros

[pan_threat] definition = index=syslog sourcetype="pan_threat" NOT "THREAT,url"

[pan_traffic] definition = index=syslog sourcetype="pan_traffic"

[pan_system] definition = index=syslog sourcetype="pan_system"

[pan_config] definition = index=syslog sourcetype="pan_config"

[pan_web_activity] definition = index=syslog sourcetype="pan_threat" "THREAT,url"

Oddly enough under this dir /opt/splunk/etc/apps/SplunkforPaloAltoNetworks/local#

the inputs.conf listed there is empty..? is this correct?

Now as it stands I am able to see under splunk deployment monitor a pan_log sourcetype that is receiving traffic but I am unable to view any data under the palo alto app or by doing an independent search such as sourcetype="pan_log" or 'pan_threat' etc.

Any help would be greatly appreciated.