All Apps and Add-ons
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to index the fields from the syslog messages coming from Palo Alto firewalls in version 5.0.3

frazerjohnson
New Member
‎10-29-2014 06:41 AM

Hello Splunk community,

I need to be able to run some reports that shows all traffic logged by my firewalls and provide the following fields:
Report 1:
- Source IP
- Destination IP
- Application (exclude unknown-tcp and unknown-udp)
- Action
- Count

Report 2:
- Source IP
- Destination IP
- Protocol
- Destination Port
- where Application equals unknown-tcp and/or unknown-udp
- Action
- Count

I am completely new to Splunk. I was introduced to it this Monday when I was given this task. Any assistance will be greatly appreciated.

0 Karma
Reply

bkondakindi
Path Finder
‎10-29-2014 11:42 AM

simple way is enable OS syslog.ng and monitoring to Splunk you see all logs on search side.

get the port number/source/sourcetype and which index they want to send data change below things accoirdingly.

source s_UDP { UDP(); };
source s_tcp { tcp(); };

destination d_hoststcp {
file("/log/syslogng/hoststcp/$HOST/$YEAR$MONTH$DAY"
owner(root) group(root) perm(0644) dir_perm(0755) create_dirs(yes));
};

add this to your splunk inputs.conf on index side .

[monitor:///log/syslogng//hosts/]
index = ur index name
sourcetype =
host_segment = 4

0 Karma
Reply

btorresgil
Builder
‎10-29-2014 08:40 AM

Hello,

You'll want to download the "Splunk for Palo Alto Networks" app from here: http://apps.splunk.com/app/491

Once you have that and have configured it per the documentation on that same page, then the syslogs will automatically be indexed with the correct fields.

The app comes with many pre-defined dashboards and reports. But you can define your own using the Splunk search or Data Model Pivot feature.

For example, you could use the following searches to generate the reports as tables:

Report 1:

index=pan_logs sourcetype=pan_traffic (application!=unknown-tcp AND application!=unknown-udp) | stats count by src_ip dst_ip application action | sort -count

Report 2:

index=pan_logs sourcetype=pan_traffic (application=unknown-tcp OR application=unknown-udp) | stats count by src_ip dst_ip protocol dst_port application action | sort -count
0 Karma
Reply

kml_uvce
Builder
‎10-29-2014 08:29 AM

you can download app https://apps.splunk.com/app/491/#/documentation

send syslog data from firewall and configure data inputs in splunk , see the above link in detail.

0 Karma
Reply
Get Updates on the Splunk Community!

Developer Spotlight with Brett Adams

In our third Spotlight feature, we're excited to shine a light on Brett—a Splunk consultant, innovative ...

Index This | What can you do to make 55,555 equal 500?

April 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...
Top