Skip to content

Configure IoT Security input for the Splunk Add-on for Palo Alto Networks

Overview

IoT Security is cloud-hosted so logs are retrieved by Splunk using the IoT Security logging API. Logs are pulled down in JSON format with sourcetype=”pan:iot_alert”, sourcetype=”pan:iot_device” and eventtype=”pan_iot_device”, eventtype=”pan_iot_alert”.

Create IoT Security input

If you plan to use the IoT Security input, perform the following steps:

  1. In Splunk, navigate to the Splunk Add-on for Palo Alto Networks.
  2. Go to the Inputs page and select “Create New Input > IoT Security.
  3. In the window that opens, enter the following values:

    Field Value Description
    Name String Name that will be used for input.
    Interval Positive integer Frequency in seconds to check for new logs (60 seconds recommended) .
    Index Selection The index in which to put the IoT Security logs The default is main.
    IoT account to use Selection Select IoT Securty account used to pull data from.
  4. Select Add to save the modular input.

Verify data ingestion

After waiting the appropriate interval time, check that logs are coming into Splunk by clicking Search at the top and entering this search:

sourcetype="pan:iot*"
You should see some JSON formatted logs show up. If nothing shows up, wait a little longer, ensure there is activity in IoT Security to generate logs, and try the Troubleshooting Guide.