Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Can we send the PaloAlto firewall logs to splunk CLOUD via HEC?

Iris_Pi
Path Finder
‎08-14-2024 07:19 PM

Hello, 

I'm wondering if we can send the PaloAlto firewall logs to splunk *cloud* via HEC? We've done that once when evaluating other SIEM solution (crowd-strike NG-SIEM).

As to splunk, the documents I can find in Internet all recommend using this flow:  PaloAlto -> syslog-ng+universal forwarder -> splunk cloud.

Does anyone know why HEC is not a preferred option in this case? any potential issue here?

Regards,
Iris

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎08-15-2024 01:48 AM

Theoretically, you could set up forwarding logs to HEC endpoint by defining proper destination and message template.

But.

As Palo themselves write on their docs page - "Log forwarding to an HTTP server is designed for log forwarding at low frequencies and is not recommend for deployments with a high volume of log forwarding. You may experience log loss when forwarding to an HTTP server if your deployment generate a high volume of logs that need to be forwarded."

Which actually makes sense since it seems Palo will emit a separate HTTP request for each event which might flood your receiver in case of - for example - traffic logs. (and I'm not sure how well it does with keepalives and reusing connections). It doesn't seem to be able to aggregate multiple events into a single request.

So it is indeed a typical approach to send events via syslog to any reasonable modern syslog daemon (either rsyslog or syslog-ng) and handle it there. They can either write them to file which will be picked up by UF or can aggregate them (at least rsyslog can, I'm not that good with syslog-ng but I suppose it does as well) into bigger batches and send much lower number of requests to destination HEC endpoint (like a single HTTP request for every 100 events to send). Of course you have much more flexibility in processing data in-transit if you use an intermediate syslog daemon.

View solution in original post

Reply
Solved! Jump to solution

Iris_Pi
Path Finder
‎08-15-2024 04:33 AM

Thanks @PickleRick for the detailed explanation! it's very helpful 🙂

0 Karma
Reply
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎08-15-2024 01:48 AM

Theoretically, you could set up forwarding logs to HEC endpoint by defining proper destination and message template.

But.

As Palo themselves write on their docs page - "Log forwarding to an HTTP server is designed for log forwarding at low frequencies and is not recommend for deployments with a high volume of log forwarding. You may experience log loss when forwarding to an HTTP server if your deployment generate a high volume of logs that need to be forwarded."

Which actually makes sense since it seems Palo will emit a separate HTTP request for each event which might flood your receiver in case of - for example - traffic logs. (and I'm not sure how well it does with keepalives and reusing connections). It doesn't seem to be able to aggregate multiple events into a single request.

So it is indeed a typical approach to send events via syslog to any reasonable modern syslog daemon (either rsyslog or syslog-ng) and handle it there. They can either write them to file which will be picked up by UF or can aggregate them (at least rsyslog can, I'm not that good with syslog-ng but I suppose it does as well) into bigger batches and send much lower number of requests to destination HEC endpoint (like a single HTTP request for every 100 events to send). Of course you have much more flexibility in processing data in-transit if you use an intermediate syslog daemon.

Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Thanks for the Memories! Splunk University, .conf25, and our Community

Thank you to everyone in the Splunk Community who joined us for .conf25, which kicked off with our iconic ...

Data Persistence in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. What happens if the OpenTelemetry collector ...

Introducing Splunk 10.0: Smarter, Faster, and More Powerful Than Ever

Now On Demand Whether you're managing complex deployments or looking to future-proof your data ...