All Apps and Add-ons

Parsing firewall logs using Palo alto add-on for Splunk

uskwarrior1
New Member

Hi Folks,

We use Splunk enterprise cloud as our central logging and SIEM system. All windows logs as well as logs from network devices are sent to the Splunk Cloud.

For log transmission, we use the following two methods (both methods are documented in the doc attached)

  • For windows and unix machines --> Installing splunk universal forwarder agents
  • For network devices that send raw logs --> Configuring splunk log forwarder on a docker instance

The windows logs are parsed correctly on Splunk however for logs from networking devices since they are sent in syslog format are not.

I was wondering if there are any apps (for palo alto and cisco) that would retroactively parse the previously ingested data? If we can, what would be the best way of doing so? (re-run the data? can we parse it as we perform searches?)

Many thanks for your help in advance.

0 Karma
1 Solution

adonio
Ultra Champion
0 Karma

adonio
Ultra Champion

yes,

read the docs for the apps ...
PAN:
https://splunkbase.splunk.com/app/2757/
Cisco ASA:
https://splunkbase.splunk.com/app/1620/

0 Karma
Get Updates on the Splunk Community!

Using Machine Learning for Hunting Security Threats

WATCH NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more for ...

New Learning Videos on Topics Most Requested by You! Plus This Month’s New Splunk ...

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

How I Instrumented a Rust Application Without Knowing Rust

As a technical writer, I often have to edit or create code snippets for Splunk's distributions of ...