topic First Time Setup with Heavy Forwarder Help - Specific Palo Alto Question in Deployment Architecture https://community.splunk.com/t5/Deployment-Architecture/First-Time-Setup-with-Heavy-Forwarder-Help-Specific-Palo-Alto/m-p/387853#M14094 <P>I am setting up a new splunk environment and running into a few questions i am hoping i can get answers for. My environment consists of three on prem enterprise instances. A single search head, single indexer, and single heavy forwarder. I am setting up the heavy forwarder as some of the splunk apps we want to use require it for "pre parsing". With that in mind, i have the three instances configured and am ready to add my first data input. I want to send my palo alto panorama logs to the heavy forwarder instance.</P> <P>I tried just setting up the syslog entry to port 514 and then create a syslog data input on the heavy forwarder to listen on that port. But nothing is coming across. In researching i think this is wrong, and what i need to do is:</P> <P>High level steps<BR /> Install and configure a syslog-ng server<BR /> Configure logging format for data to be received from the Palo Alto Networks appliance<BR /> Configure Palo Alto Networks appliance logging, and output to the syslog-ng server<BR /> Configure receiving of data on the Splunk platform indexer cluster<BR /> Install a Splunk universal forwarder on the same host as the syslog-ng server<BR /> Install the Splunk Add-on for Palo Alto Networks on the Splunk universal forwarder<BR /> Install the Splunk Add-on for Palo Alto Networks across the Splunk platform deployment<BR /> Configure the universal forwarder to monitor syslog-ng logs, and forward data to the Splunk platform<BR /> Validate your data</P> <P>Can someone confirm this is the correct process? If so i just need to go through and build a fourth linux box to act as the syslog-ng.</P> Mon, 19 Nov 2018 13:42:57 GMT ghostdog920 2018-11-19T13:42:57Z First Time Setup with Heavy Forwarder Help - Specific Palo Alto Question https://community.splunk.com/t5/Deployment-Architecture/First-Time-Setup-with-Heavy-Forwarder-Help-Specific-Palo-Alto/m-p/387853#M14094 <P>I am setting up a new splunk environment and running into a few questions i am hoping i can get answers for. My environment consists of three on prem enterprise instances. A single search head, single indexer, and single heavy forwarder. I am setting up the heavy forwarder as some of the splunk apps we want to use require it for "pre parsing". With that in mind, i have the three instances configured and am ready to add my first data input. I want to send my palo alto panorama logs to the heavy forwarder instance.</P> <P>I tried just setting up the syslog entry to port 514 and then create a syslog data input on the heavy forwarder to listen on that port. But nothing is coming across. In researching i think this is wrong, and what i need to do is:</P> <P>High level steps<BR /> Install and configure a syslog-ng server<BR /> Configure logging format for data to be received from the Palo Alto Networks appliance<BR /> Configure Palo Alto Networks appliance logging, and output to the syslog-ng server<BR /> Configure receiving of data on the Splunk platform indexer cluster<BR /> Install a Splunk universal forwarder on the same host as the syslog-ng server<BR /> Install the Splunk Add-on for Palo Alto Networks on the Splunk universal forwarder<BR /> Install the Splunk Add-on for Palo Alto Networks across the Splunk platform deployment<BR /> Configure the universal forwarder to monitor syslog-ng logs, and forward data to the Splunk platform<BR /> Validate your data</P> <P>Can someone confirm this is the correct process? If so i just need to go through and build a fourth linux box to act as the syslog-ng.</P> Mon, 19 Nov 2018 13:42:57 GMT https://community.splunk.com/t5/Deployment-Architecture/First-Time-Setup-with-Heavy-Forwarder-Help-Specific-Palo-Alto/m-p/387853#M14094 ghostdog920 2018-11-19T13:42:57Z Re: First Time Setup with Heavy Forwarder Help - Specific Palo Alto Question https://community.splunk.com/t5/Deployment-Architecture/First-Time-Setup-with-Heavy-Forwarder-Help-Specific-Palo-Alto/m-p/387854#M14095 <P>You checked you have set the input for 514 with udp:514 or tcp:514 so that it matches what the appliance is sending?<BR /> Checked the index it's being sent to is correct and already exists?<BR /> Setting up a syslog receiver to catch the events is a more robust solution as it does not stop/start with Splunk restarts.</P> <P>...Laurie:{)</P> Mon, 19 Nov 2018 21:36:20 GMT https://community.splunk.com/t5/Deployment-Architecture/First-Time-Setup-with-Heavy-Forwarder-Help-Specific-Palo-Alto/m-p/387854#M14095 laurie_gellatly 2018-11-19T21:36:20Z