Deployment Architecture

First Time Setup with Heavy Forwarder Help - Specific Palo Alto Question

ghostdog920
Path Finder

I am setting up a new splunk environment and running into a few questions i am hoping i can get answers for. My environment consists of three on prem enterprise instances. A single search head, single indexer, and single heavy forwarder. I am setting up the heavy forwarder as some of the splunk apps we want to use require it for "pre parsing". With that in mind, i have the three instances configured and am ready to add my first data input. I want to send my palo alto panorama logs to the heavy forwarder instance.

I tried just setting up the syslog entry to port 514 and then create a syslog data input on the heavy forwarder to listen on that port. But nothing is coming across. In researching i think this is wrong, and what i need to do is:

High level steps
Install and configure a syslog-ng server
Configure logging format for data to be received from the Palo Alto Networks appliance
Configure Palo Alto Networks appliance logging, and output to the syslog-ng server
Configure receiving of data on the Splunk platform indexer cluster
Install a Splunk universal forwarder on the same host as the syslog-ng server
Install the Splunk Add-on for Palo Alto Networks on the Splunk universal forwarder
Install the Splunk Add-on for Palo Alto Networks across the Splunk platform deployment
Configure the universal forwarder to monitor syslog-ng logs, and forward data to the Splunk platform
Validate your data

Can someone confirm this is the correct process? If so i just need to go through and build a fourth linux box to act as the syslog-ng.

0 Karma

laurie_gellatly
Communicator

You checked you have set the input for 514 with udp:514 or tcp:514 so that it matches what the appliance is sending?
Checked the index it's being sent to is correct and already exists?
Setting up a syslog receiver to catch the events is a more robust solution as it does not stop/start with Splunk restarts.

...Laurie:{)

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...