All Apps and Add-ons

Splunk_TA_paloalto parsing issues using syslog-ng and universal fowarder to indexers

dmal
New Member

I have my PANs forwarding events to a syslog-ng server over TCP, logs are parsed out to disk and then fowarded to the indexer (which replicates to another indexer) using the universal forwarder.

Config follows the model here:

https://splunk.paloaltonetworks.com/universal-forwarder.html

However my syslog-ng config also has us_dns(no) under the source stanza and sets permits under the destination stanza (creat_dirs, owner, group, perm, etc..)

The indexers are already receiving events from multiple other sources from the same syslog-ng server with no issues.

I have install the Splunk_TA_paloalto add-on on the Indexer and I figure that the issue is with the content of the inputs.conf file on the indexer. It doesn't make sense to listen on udp:514, since the data is already coming from a UFW, and it's not parsing the data properly (sourcetype is still pan:log or pan:firewall, doesn't seem to be affected what I put in at the syslog-ng server inputs.conf).

There seem to be lots of examples of folks getting this working, is it just that the UFW doesn't work and it has to go through a HFW instead?

Thanks,

d

 

 

 

Labels (2)
0 Karma
Get Updates on the Splunk Community!

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...

Observability Highlights | January 2023 Newsletter

 January 2023New Product Releases Splunk Network Explorer for Infrastructure MonitoringSplunk unveils Network ...