Solved: Palo Alto Networks App for Splunk: Is it possible ...

turn1p · ‎11-10-2016

Hi,

New to Splunk Enterprise and only have the Palo Alto Networks App for Splunk + Palo Alto Networks Add-on for Splunk installed and configured.

Is it possible to restrict which traffic logs or at least determine which firewall rules are generating most of these logs? i noticed pan:traffic consuming around 75% of our daily allowance and that leaves me little room to log much else in our environment.

Thanks in advance

niemesrw · ‎11-10-2016

Hi turn1p -

We do something similar - when creating policies, we put an additional "key" in the policy name of "xlog" which we then filter upon input on our splunk server that is ingesting the logs (in our case a heavy forwarder - you might do the same on your indexer).

Here's the relevant props & transforms:

props.conf:
[pan:log]
TRANSFORMS-drop = discard-nolog

transforms.conf:
[discard-nolog]
REGEX = TRAFFIC.*xlog
DEST_KEY = queue
FORMAT = nullQueue

View solution in original post

btorresgil · ‎11-10-2016

Since Palo Alto Networks App version 5.x and Add-on version 3.6.x, the data is put in the dashboards by eventtype instead of index. This means if a user does not have access to an index, the logs in that index will not show up in the App dashboards. You can use this to control what logs each user sees.

For example, you can have one firewall send to a data input on port 515 and another firewall send to port 516. Port 515 goes to an index called pan_logs_perimeter and port 516 goes to an index called pan_logs_datacenter. Then create two users, a 'perimeter' user with permission to only see the pan_logs_perimeter index and a 'datacenter' user that can only see the pan_logs_datacenter index. When both of these users access the App dashboards, they will see only the data from the index they are allowed to see. The 'perimeter' user will only see logs from pan_log_perimeter, and the 'datacenter' user will only see logs from pan_logs_datacenter, even if they are accessing the same dashboard in the same App.

niemesrw · ‎11-10-2016

Hi turn1p -

We do something similar - when creating policies, we put an additional "key" in the policy name of "xlog" which we then filter upon input on our splunk server that is ingesting the logs (in our case a heavy forwarder - you might do the same on your indexer).

Here's the relevant props & transforms:

props.conf:
[pan:log]
TRANSFORMS-drop = discard-nolog

transforms.conf:
[discard-nolog]
REGEX = TRAFFIC.*xlog
DEST_KEY = queue
FORMAT = nullQueue

sk314 · ‎11-10-2016

This is a much more graceful than what I did. I didn't know the log format itself was configurable on PAN end. I ended up writing a shitty regex to filter pan:traffic allowed logs. like so:

 [pan_traffic_allowed] 
REGEX = (([^,]*,){3}TRAFFIC,([^,]*,){26}allow,)
DEST_KEY = queue
FORMAT =  nullQueue

😞

niemesrw · ‎11-10-2016

Well the format isn't really configurable, we're just adding some more 'metadata' to the policy name. Since Brian Torres-Gil below works for Palo Alto (and wrote this app), he might be able to ask that they log tags or some other field we could parse on ingest..

Either way - whatever works!

sk314 · ‎11-10-2016

that explains - I was wondering why @btorresgil sounds familiar!! Also - whatever works!! 🙂

Palo Alto Networks App for Splunk: Is it possible to restrict certain Palo Alto traffic logs?

Can’t make it to .conf25? Join us online!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Unlock What’s Next: The Splunk Cloud Platform at .conf25

Are you a member of the Splunk Community?

Palo Alto Networks App for Splunk: Is it possible to restrict certain Palo Alto traffic logs?

Can’t make it to .conf25? Join us online!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Unlock What’s Next: The Splunk Cloud Platform at .conf25