Getting Data In

Ingesting Palo Alto logs from an external organization into our on-prem Splunk instance- best practices?



We are in the process of ingesting Palo Alto logs from a separate organization’s network into our instance of Spunk Enterprise Security (on-prem) which resides on another network. Connectivity between both of our organizations is facilitated through an interconnection provided by a product called Equinix. This way, data and file interchanges between our organizations are secure over the internet.

I’m trying to determine a performance and cost-efficient method of ingesting the other organization’s logs into our network. We’re ingesting our internal organization Palo Alto FW logs by forwarding these to a syslog server, and they’re sent to our Spunk indexers from there. How different would the log ingestion mechanism for an external org’s Palo Alto logs be?

Any help would be greatly appreciated!

Labels (1)
Tags (2)
0 Karma

Super Champion

The best practice is:

1. Send logs from Palo Alto to Syslog server on UDP.

2. On Syslog server put those logs in the files.

3. Monitor those files from monitor input with UF (make sure to use UF for the performance of reasons as that will use much less bandwidth).

4. Send data from there to Indexers (some people prefer to use HF in between the UF and Indexers in this scenario, but if you are taking all security measures then you can send directly to Indexer its perfectly fine).

0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud | Customer Survey!

If you use Splunk Observability Cloud, we invite you to share your valuable insights with us through a brief ...

Happy CX Day, Splunk Community!

Happy CX Day, Splunk Community! CX stands for Customer Experience, and today, October 3rd, is CX Day — a ...

.conf23 | Get Your Cybersecurity Defense Analyst Certification in Vegas

We’re excited to announce a new Splunk certification exam being released at .conf23! If you’re going to Las ...