I am setting up a new splunk environment and running into a few questions i am hoping i can get answers for. My environment consists of three on prem enterprise instances. A single search head, single indexer, and single heavy forwarder. I am setting up the heavy forwarder as some of the splunk apps we want to use require it for "pre parsing". With that in mind, i have the three instances configured and am ready to add my first data input. I want to send my palo alto panorama logs to the heavy forwarder instance.
I tried just setting up the syslog entry to port 514 and then create a syslog data input on the heavy forwarder to listen on that port. But nothing is coming across. In researching i think this is wrong, and what i need to do is:
High level steps
Install and configure a syslog-ng server
Configure logging format for data to be received from the Palo Alto Networks appliance
Configure Palo Alto Networks appliance logging, and output to the syslog-ng server
Configure receiving of data on the Splunk platform indexer cluster
Install a Splunk universal forwarder on the same host as the syslog-ng server
Install the Splunk Add-on for Palo Alto Networks on the Splunk universal forwarder
Install the Splunk Add-on for Palo Alto Networks across the Splunk platform deployment
Configure the universal forwarder to monitor syslog-ng logs, and forward data to the Splunk platform
Validate your data
Can someone confirm this is the correct process? If so i just need to go through and build a fourth linux box to act as the syslog-ng.
You checked you have set the input for 514 with udp:514 or tcp:514 so that it matches what the appliance is sending?
Checked the index it's being sent to is correct and already exists?
Setting up a syslog receiver to catch the events is a more robust solution as it does not stop/start with Splunk restarts.