Hi,
I recently installed Splunk (5.0.3 trial version) with Palo Alto Apps version 3.2.1. When I connect to the PA-200 (ver 5.0) and set up PA box to send syslog to Splunk, I cannot see any data showing on the Splunk. I used Wireshark to check there are a lot of syslog traffic that were sent from PA-200 to the laptop that Splunk runs on. In the manager->data inputs->udp->514 config, I have source type: pan_log, host: ip, index: pan_logs.
Is there any reason why I don't see syslog data on Splunk?
Btw,I also checked following: when I go to the search app -> status -> server activity -> spunkd acitivity overview I saw following errors:
07-20-2013 23:26:14.420 -0400 ERROR SearchResults - Unable to open output file: path=C:Program FilesSplunketcusersadminsearchhistoryHPSSPTLTP019.csv.tmp error=The process cannot access the file because it is being used by another process.
host=HPSSPTLTP019 Options|
sourcetype=splunkd Options|
source=C:Program FilesSplunkvarlogsplunksplunkd.log
07-20-2013 23:15:55.602 -0400 ERROR SearchResults - Failed to remove "C:Program FilesSplunketcusersadminSplunkforPaloAltoNetworkshistoryHPSSPTLTP019.csv.tmp2": The system cannot find the file specified.
host=HPSSPTLTP019 Options|
sourcetype=splunkd Options|
source=C:Program FilesSplunkvarlogsplunksplunkd.log Options
Could that be the problem? If so, how do I fix it?
Thanks! Tina