Deployment Architecture

First Time Setup with Heavy Forwarder Help - Specific Palo Alto Question

ghostdog920
Path Finder

I am setting up a new splunk environment and running into a few questions i am hoping i can get answers for. My environment consists of three on prem enterprise instances. A single search head, single indexer, and single heavy forwarder. I am setting up the heavy forwarder as some of the splunk apps we want to use require it for "pre parsing". With that in mind, i have the three instances configured and am ready to add my first data input. I want to send my palo alto panorama logs to the heavy forwarder instance.

I tried just setting up the syslog entry to port 514 and then create a syslog data input on the heavy forwarder to listen on that port. But nothing is coming across. In researching i think this is wrong, and what i need to do is:

High level steps
Install and configure a syslog-ng server
Configure logging format for data to be received from the Palo Alto Networks appliance
Configure Palo Alto Networks appliance logging, and output to the syslog-ng server
Configure receiving of data on the Splunk platform indexer cluster
Install a Splunk universal forwarder on the same host as the syslog-ng server
Install the Splunk Add-on for Palo Alto Networks on the Splunk universal forwarder
Install the Splunk Add-on for Palo Alto Networks across the Splunk platform deployment
Configure the universal forwarder to monitor syslog-ng logs, and forward data to the Splunk platform
Validate your data

Can someone confirm this is the correct process? If so i just need to go through and build a fourth linux box to act as the syslog-ng.

0 Karma

laurie_gellatly
Communicator

You checked you have set the input for 514 with udp:514 or tcp:514 so that it matches what the appliance is sending?
Checked the index it's being sent to is correct and already exists?
Setting up a syslog receiver to catch the events is a more robust solution as it does not stop/start with Splunk restarts.

...Laurie:{)

0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...