All Apps and Add-ons

How to index the fields from the syslog messages coming from Palo Alto firewalls in version 5.0.3

frazerjohnson
New Member

Hello Splunk community,

I need to be able to run some reports that shows all traffic logged by my firewalls and provide the following fields:
Report 1:
- Source IP
- Destination IP
- Application (exclude unknown-tcp and unknown-udp)
- Action
- Count

Report 2:
- Source IP
- Destination IP
- Protocol
- Destination Port
- where Application equals unknown-tcp and/or unknown-udp
- Action
- Count

I am completely new to Splunk. I was introduced to it this Monday when I was given this task. Any assistance will be greatly appreciated.

0 Karma

bkondakindi
Path Finder

simple way is enable OS syslog.ng and monitoring to Splunk you see all logs on search side.

get the port number/source/sourcetype and which index they want to send data change below things accoirdingly.

source s_UDP { UDP(); };
source s_tcp { tcp(); };

destination d_hoststcp {
file("/log/syslogng/hoststcp/$HOST/$YEAR$MONTH$DAY"
owner(root) group(root) perm(0644) dir_perm(0755) create_dirs(yes));
};

add this to your splunk inputs.conf on index side .

[monitor:///log/syslogng//hosts/]
index = ur index name
sourcetype =
host_segment = 4

0 Karma

btorresgil
Builder

Hello,

You'll want to download the "Splunk for Palo Alto Networks" app from here: http://apps.splunk.com/app/491

Once you have that and have configured it per the documentation on that same page, then the syslogs will automatically be indexed with the correct fields.

The app comes with many pre-defined dashboards and reports. But you can define your own using the Splunk search or Data Model Pivot feature.

For example, you could use the following searches to generate the reports as tables:

Report 1:

index=pan_logs sourcetype=pan_traffic (application!=unknown-tcp AND application!=unknown-udp) | stats count by src_ip dst_ip application action | sort -count

Report 2:

index=pan_logs sourcetype=pan_traffic (application=unknown-tcp OR application=unknown-udp) | stats count by src_ip dst_ip protocol dst_port application action | sort -count
0 Karma

kml_uvce
Builder

you can download app https://apps.splunk.com/app/491/#/documentation

send syslog data from firewall and configure data inputs in splunk , see the above link in detail.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...