I am configuring palo alto firewall and splunk to get data into splunk cloud from firewall. I configured firewall with syslog server and syslog server is getting the data from firewall working properly. I am using splunk enterprise as heavy forwarder . just want to ask you gyzz, is it correct approah and how can i configure splunk enterprise as heavy forwarder. or do i need to configure syslog more like creating files (.conf) so it an direct logs. we are using same syslog server for other logs like cisco and that is already configure and going data to splunk cloud.
This is DEFINITELY the wrong approach. Either do this:
Or best of all, this:
You don't necessarily need the Heavy Forwarder. Would install the UF on the syslog server, and download the UF app from Splunk cloud. This will send all your syslog data to Splunk cloud in an encrypted format.
Since you've data being sent by the same syslog server to Splunk cloud, one of the above is already done.
What you need to do is to create a new app within /opt/splunk/etc/apps which will monitor the palo alto logs.
Look at the monitor stanza
Would also check if any of the Palo Alto apps needs to be installed on Splunk cloud to parse the data correctly:
thank you, that was helpful for me. One more question is that i have one more Palo alto firewall for same organization so should i do it with APIs or follow the similar process. Please let me know.
If you must go with the API, then you will need to install it on a HF.
so: FW <--- (install TA which uses API) HF ---> Splunk Cloud
The syslog option is the best solution:
FW ---> Syslog (install UF with Splunk cloud config) --> Splunk Cloud