All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to index the fields from the syslog messages coming from Palo Alto firewalls in version 5.0.3

frazerjohnson
New Member
‎10-29-2014 06:41 AM

Hello Splunk community,

I need to be able to run some reports that shows all traffic logged by my firewalls and provide the following fields:
Report 1:
- Source IP
- Destination IP
- Application (exclude unknown-tcp and unknown-udp)
- Action
- Count

Report 2:
- Source IP
- Destination IP
- Protocol
- Destination Port
- where Application equals unknown-tcp and/or unknown-udp
- Action
- Count

I am completely new to Splunk. I was introduced to it this Monday when I was given this task. Any assistance will be greatly appreciated.

0 Karma
Reply

bkondakindi
Path Finder
‎10-29-2014 11:42 AM

simple way is enable OS syslog.ng and monitoring to Splunk you see all logs on search side.

get the port number/source/sourcetype and which index they want to send data change below things accoirdingly.

source s_UDP { UDP(); };
source s_tcp { tcp(); };

destination d_hoststcp {
file("/log/syslogng/hoststcp/$HOST/$YEAR$MONTH$DAY"
owner(root) group(root) perm(0644) dir_perm(0755) create_dirs(yes));
};

add this to your splunk inputs.conf on index side .

[monitor:///log/syslogng//hosts/]
index = ur index name
sourcetype =
host_segment = 4

0 Karma
Reply

btorresgil
Builder
‎10-29-2014 08:40 AM

Hello,

You'll want to download the "Splunk for Palo Alto Networks" app from here: http://apps.splunk.com/app/491

Once you have that and have configured it per the documentation on that same page, then the syslogs will automatically be indexed with the correct fields.

The app comes with many pre-defined dashboards and reports. But you can define your own using the Splunk search or Data Model Pivot feature.

For example, you could use the following searches to generate the reports as tables:

Report 1:

index=pan_logs sourcetype=pan_traffic (application!=unknown-tcp AND application!=unknown-udp) | stats count by src_ip dst_ip application action | sort -count

Report 2:

index=pan_logs sourcetype=pan_traffic (application=unknown-tcp OR application=unknown-udp) | stats count by src_ip dst_ip protocol dst_port application action | sort -count
0 Karma
Reply

kml_uvce
Builder
‎10-29-2014 08:29 AM

you can download app https://apps.splunk.com/app/491/#/documentation

send syslog data from firewall and configure data inputs in splunk , see the above link in detail.

kamal singh bisht
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...