All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Suggestions to set up Splunk for Palo Alto Networks with multiple indexers?

OldManEd
Builder
‎07-23-2014 09:03 AM

All,

I had a request from my user community to add Palo Alto syslogs to Splunk. I found an app, "Splunk for Palo Alto Networks", (release 3.3.2), and loaded it. On our test environment, consisting of 1 search head and 1 indexer, (release 5.0.5), the setup worked fine. I used port 10514 for the UDP data because I'm running as the "splunk" UID.

The test went well but not all the features were available in the app because we are not using WildFire at this time.

Anyway, I'm in the process of moving the complete package to out production instance, (also release 5.0.5), but I'm having concerns and issues. I could use some suggestions on what route to take either 1 or 2.

1) This would be to add the "Splunk for Palo Alto Networks" to all the indexers and just tell the user community to use raw searches. But with this version I don't know how to tell the Palo Alto group to set up their firewalls to send UDP packets to our 16 server suite of indexers - or if that is even possible. The application documentation seems to only address sending data to 1 indexer.

2) This version would be to just use raw Palo Alto syslog data. But, if I understand the documentation correctly, there is no Splunk forwarder involved and you only get 1 destination to send UDP packets to.

I would appreciate any insight from anyone that has worked with Palo Alto devices on this.

Thanks in advance.

~Ed

Reply
1 Solution
Solved! Jump to solution
Solution

starcher
SplunkTrust
SplunkTrust
‎07-23-2014 08:03 PM

The best solution is not to receive data on syslog straight into splunk. Send it to a dedicated syslog receiving server. Rsyslog or syslog-ng as you prefer. Then use a Splunk Universal forwarder to pick up the logs from the Palo Alto's setting the sourcetype and index that you need.

View solution in original post

Reply
Solved! Jump to solution
Solution

starcher
SplunkTrust
SplunkTrust
‎07-23-2014 08:03 PM

The best solution is not to receive data on syslog straight into splunk. Send it to a dedicated syslog receiving server. Rsyslog or syslog-ng as you prefer. Then use a Splunk Universal forwarder to pick up the logs from the Palo Alto's setting the sourcetype and index that you need.

Reply
Solved! Jump to solution

OldManEd
Builder
‎07-24-2014 05:49 AM

I never thought about this configuration. I think it will work. Thanks.

0 Karma
Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...