Solved: How to exclude firewall events in Splunk?

umesh · ‎11-08-2022

Hi

i am using palo-alto firewall. i am getting firewall logs to syslog server and monitoring those logs and forwarding to indexer and to search head.

I want to exclude events from particular src_ip from indexing as the src is generating high volume of logs and consuming my license.

How to exclude these events. Please let me know.

Thanks

gcusello · ‎11-08-2022

Hi @umeshm,

when I speak of location I don't mean on file system, that isn't relevant, but the server where i located: they must be on Indexers or, when present on Heavy Forwarders (as I suppose you have).

Is it clear for you how to configure your filter?

Ciao.

Giuseppe

View solution in original post

gcusello · ‎11-08-2022

Hi @umesh,

to filter and discard events you have to find a regex and apply the configurations described at https://docs.splunk.com/Documentation/Splunk/9.0.1/Forwarding/Routeandfilterdatad#Filter_event_data_...

remember that these configuration must be applied on Indexers or, when present, on heavy Forwarders.

Ciao.

Giuseppe

umesh · ‎11-08-2022

@gcusello

[pan:traffic]

location of props.conf and tranforms.conf is etc/system local or Splunk add-on for paloalto app. which is preferable .

Thanks for the quick response

gcusello · ‎11-08-2022

Hi @umeshm,

when I speak of location I don't mean on file system, that isn't relevant, but the server where i located: they must be on Indexers or, when present on Heavy Forwarders (as I suppose you have).

Is it clear for you how to configure your filter?

Ciao.

Giuseppe

How to exclude firewall events in Splunk?

deployment client

distributed search

forwarder management

intermediate forwarder

Linux

search head

universal forwarder

Windows

workload management

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Adoption of RUM and APM at Splunk