Configure IoT Security input for the Splunk Add-on for Palo Alto Networks¶
Overview¶
IoT Security is cloud-hosted so logs are retrieved by Splunk using the IoT Security logging API. Logs are pulled down in JSON format with sourcetype=”pan:iot_alert”, sourcetype=”pan:iot_device” and eventtype=”pan_iot_device”, eventtype=”pan_iot_alert”.
Create IoT Security Input¶
If you plan to use the IoT Security input, you must perform the following steps:
- In Splunk, navigate to the Splunk Add-on for Palo Alto Networks.
- Go to “Inputs” page and click on “Create New Input” select “IoT Security”.
In pop-up window fill .....
| Field | Value | Description |
|---|---|---|
| Name | String | Name that will be used for input. |
| Interval | Positive integer | Frequency in seconds to check for new logs (60 seconds recommended) . |
| Index | Selection | The index in which to put the IoT Security logs The default is main. |
| IoT account to use | Selection | Select IoT Securty account used to pull data from. |
Then click Add to save the modular input.
Verify data ingestion¶
After waiting the appropriate interval time, check that logs are coming into Splunk by clicking Search at the top and entering this search:
sourcetype="pan:iot*"