I had a request from my user community to add Palo Alto syslogs to Splunk. I found an app, "Splunk for Palo Alto Networks", (release 3.3.2), and loaded it. On our test environment, consisting of 1 search head and 1 indexer, (release 5.0.5), the setup worked fine. I used port 10514 for the UDP data because I'm running as the "splunk" UID.
The test went well but not all the features were available in the app because we are not using WildFire at this time.
Anyway, I'm in the process of moving the complete package to out production instance, (also release 5.0.5), but I'm having concerns and issues. I could use some suggestions on what route to take either 1 or 2.
1) This would be to add the "Splunk for Palo Alto Networks" to all the indexers and just tell the user community to use raw searches. But with this version I don't know how to tell the Palo Alto group to set up their firewalls to send UDP packets to our 16 server suite of indexers - or if that is even possible. The application documentation seems to only address sending data to 1 indexer.
2) This version would be to just use raw Palo Alto syslog data. But, if I understand the documentation correctly, there is no Splunk forwarder involved and you only get 1 destination to send UDP packets to.
I would appreciate any insight from anyone that has worked with Palo Alto devices on this.
Thanks in advance.
The best solution is not to receive data on syslog straight into splunk. Send it to a dedicated syslog receiving server. Rsyslog or syslog-ng as you prefer. Then use a Splunk Universal forwarder to pick up the logs from the Palo Alto's setting the sourcetype and index that you need.