https://community.splunk.com/t5/Splunk-Enterprise/Generating-alerts-using-Palo-Alto/m-p/702357#M20571 <P>Thank you for your reply.</P><P>I will choose the Splunk-supported add-on.</P> Mon, 21 Oct 2024 08:03:30 GMT m_tanaka 2024-10-21T08:03:30Z https://community.splunk.com/t5/Splunk-Enterprise/Generating-alerts-using-Palo-Alto/m-p/702016#M20515 <P>I am from Japan. Sorry for my poor English and lack of knowledge about Splunk.</P><P>I received a Splunk Enterprise Trial License and would like to import Palo Alto logs and issue alerts (via email, etc.), but I am not sure how to do this (manually importing past logs succeeded). I wonder if past logs can issue alert.</P><P>About our environment, I set up all-in-one virtual server in our FJ Cloud (Fujitsu Cloud)is one virtual server and Splunk is running here. There are no forwarders installed on other servers.</P><P>I would be more than happy if you could let me know. Thank you for your support.</P> Wed, 16 Oct 2024 01:58:17 GMT https://community.splunk.com/t5/Splunk-Enterprise/Generating-alerts-using-Palo-Alto/m-p/702016#M20515 m_tanaka 2024-10-16T01:58:17Z https://community.splunk.com/t5/Splunk-Enterprise/Generating-alerts-using-Palo-Alto/m-p/702188#M20547 <P>Palo introduced HTTP Event stream in OS 8.x, so if you have anything recent install it should support that as outbound log streaming.&nbsp; Alternatively the logs can be exported over syslog but becomes infinitely more difficult ingest if you have a novice Splunk experience.</P><P>Once you can export from Palo the HTTP Event stream then you need to setup your Splunk instance to collect HEC/HTTP Event Collection and there is a lot of documentation on how to do that.</P><P><U><STRONG>Warning</STRONG></U>: Palo can generate a tremendous amount of logs and almost certainly exceeds your trial license capacity.</P> Thu, 17 Oct 2024 14:57:38 GMT https://community.splunk.com/t5/Splunk-Enterprise/Generating-alerts-using-Palo-Alto/m-p/702188#M20547 dural_yyz 2024-10-17T14:57:38Z https://community.splunk.com/t5/Splunk-Enterprise/Generating-alerts-using-Palo-Alto/m-p/702249#M20553 <P>Thank you for your reply.&nbsp;</P><P>Our department's policy seems to be to use exporting syslog and forwarding...</P><P>I referred to this video</P><P><A href="https://www.youtube.com/watch?v=wS5-jMS080s" target="_blank">https://www.youtube.com/watch?v=wS5-jMS080s</A></P><P>and I'm trying to monitor syslog over Splunk. However no events displayed on Splunk search.</P><P>I used Wireshark (tshark), and then confirmed that Splunk server could receive syslog packets.</P><P>Is there anything else that I should check ?</P> Fri, 18 Oct 2024 08:30:04 GMT https://community.splunk.com/t5/Splunk-Enterprise/Generating-alerts-using-Palo-Alto/m-p/702249#M20553 m_tanaka 2024-10-18T08:30:04Z https://community.splunk.com/t5/Splunk-Enterprise/Generating-alerts-using-Palo-Alto/m-p/702283#M20557 <P>There is an add-on for Palo Alto solutions.</P><P><A href="https://splunkbase.splunk.com/app/7523" target="_blank">https://splunkbase.splunk.com/app/7523</A></P><P>It is Splunk-supported so it should have a pretty decent manual.</P> Fri, 18 Oct 2024 20:31:56 GMT https://community.splunk.com/t5/Splunk-Enterprise/Generating-alerts-using-Palo-Alto/m-p/702283#M20557 PickleRick 2024-10-18T20:31:56Z https://community.splunk.com/t5/Splunk-Enterprise/Generating-alerts-using-Palo-Alto/m-p/702335#M20563 <P>Thank you for your reply.</P><P>There are two add-ons "<SPAN>Palo Alto Networks Add-on</SPAN>" and "<SPAN>Splunk Add-on for Palo Alto Networks</SPAN>".</P><P>Is there okay to go with either one ?</P><P>The video I referred on Youtube was about "<SPAN>Palo Alto Networks Add-on", and search result was displayed successfully.</SPAN></P><P><SPAN>I confirmed that the splunk server could received the syslog packets successfully using tshark.</SPAN></P><P><SPAN>what is the problem in displaying the search results.</SPAN></P> Mon, 21 Oct 2024 00:55:41 GMT https://community.splunk.com/t5/Splunk-Enterprise/Generating-alerts-using-Palo-Alto/m-p/702335#M20563 m_tanaka 2024-10-21T00:55:41Z https://community.splunk.com/t5/Splunk-Enterprise/Generating-alerts-using-Palo-Alto/m-p/702336#M20564 <P>The palo alto server transmit the syslog with the port 5514. (514 port was in use)</P><P>And I search with the query "source="udp:5514"".</P><P>Is there any problem in the query ?</P> Mon, 21 Oct 2024 01:25:21 GMT https://community.splunk.com/t5/Splunk-Enterprise/Generating-alerts-using-Palo-Alto/m-p/702336#M20564 m_tanaka 2024-10-21T01:25:21Z https://community.splunk.com/t5/Splunk-Enterprise/Generating-alerts-using-Palo-Alto/m-p/702350#M20569 <P>No. One is written by Palo Alto themselves - <A href="https://splunkbase.splunk.com/app/2757" target="_blank">https://splunkbase.splunk.com/app/2757</A></P><P>It's the older one and it's now deprecated.</P><P>The new one is written and supported by Splunk - <A href="https://splunkbase.splunk.com/app/7523" target="_blank">https://splunkbase.splunk.com/app/7523</A></P><P>Go for this one.</P><P>As a rule of thumb if you have a choice between a Splunk-supported add-on and a third-party one use the Splunk-supported one.</P> Mon, 21 Oct 2024 06:23:40 GMT https://community.splunk.com/t5/Splunk-Enterprise/Generating-alerts-using-Palo-Alto/m-p/702350#M20569 PickleRick 2024-10-21T06:23:40Z https://community.splunk.com/t5/Splunk-Enterprise/Generating-alerts-using-Palo-Alto/m-p/702357#M20571 <P>Thank you for your reply.</P><P>I will choose the Splunk-supported add-on.</P> Mon, 21 Oct 2024 08:03:30 GMT https://community.splunk.com/t5/Splunk-Enterprise/Generating-alerts-using-Palo-Alto/m-p/702357#M20571 m_tanaka 2024-10-21T08:03:30Z https://community.splunk.com/t5/Splunk-Enterprise/Generating-alerts-using-Palo-Alto/m-p/702360#M20572 <P>The upside to the Splunk-supported add-ons is that they have decent documentation. In this case it's</P><P><A href="https://splunk.github.io/splunk-add-on-for-palo-alto-networks/" target="_blank">https://splunk.github.io/splunk-add-on-for-palo-alto-networks/</A></P> Mon, 21 Oct 2024 09:10:48 GMT https://community.splunk.com/t5/Splunk-Enterprise/Generating-alerts-using-Palo-Alto/m-p/702360#M20572 PickleRick 2024-10-21T09:10:48Z https://community.splunk.com/t5/Splunk-Enterprise/Generating-alerts-using-Palo-Alto/m-p/702361#M20573 <P>Thank you.</P><P>I will use it as a reference.&nbsp;</P> Mon, 21 Oct 2024 09:34:54 GMT https://community.splunk.com/t5/Splunk-Enterprise/Generating-alerts-using-Palo-Alto/m-p/702361#M20573 m_tanaka 2024-10-21T09:34:54Z https://community.splunk.com/t5/Splunk-Enterprise/Generating-alerts-using-Palo-Alto/m-p/702381#M20576 <P>What is your Splunk configuration to listen for UDP 5514?</P> Mon, 21 Oct 2024 14:48:02 GMT https://community.splunk.com/t5/Splunk-Enterprise/Generating-alerts-using-Palo-Alto/m-p/702381#M20576 dural_yyz 2024-10-21T14:48:02Z https://community.splunk.com/t5/Splunk-Enterprise/Generating-alerts-using-Palo-Alto/m-p/702456#M20581 <P>Thank you for your reply.</P><P>UDP 514 port was in use. I have&nbsp; no idea why it is used by another process. So, I needed to use another port to receive packets from palo alto server.</P><P>However I solved this problem. The firewalld daemon was blocking the packets coming in Splunk. I stopped the firewalld, and could search the palo alto logs.</P><P>I go for the next step of issuing alerts from these logs.</P> Tue, 22 Oct 2024 00:30:34 GMT https://community.splunk.com/t5/Splunk-Enterprise/Generating-alerts-using-Palo-Alto/m-p/702456#M20581 m_tanaka 2024-10-22T00:30:34Z