Ingesting Palo Alto logs from an external organiza...

adnankhan5133 · ‎02-09-2022

Hello,

We are in the process of ingesting Palo Alto logs from a separate organization’s network into our instance of Spunk Enterprise Security (on-prem) which resides on another network. Connectivity between both of our organizations is facilitated through an interconnection provided by a product called Equinix. This way, data and file interchanges between our organizations are secure over the internet.

I’m trying to determine a performance and cost-efficient method of ingesting the other organization’s logs into our network. We’re ingesting our internal organization Palo Alto FW logs by forwarding these to a syslog server, and they’re sent to our Spunk indexers from there. How different would the log ingestion mechanism for an external org’s Palo Alto logs be?

Any help would be greatly appreciated!

VatsalJagani · ‎02-09-2022

The best practice is:

1. Send logs from Palo Alto to Syslog server on UDP.

2. On Syslog server put those logs in the files.

3. Monitor those files from monitor input with UF (make sure to use UF for the performance of reasons as that will use much less bandwidth).

4. Send data from there to Indexers (some people prefer to use HF in between the UF and Indexers in this scenario, but if you are taking all security measures then you can send directly to Indexer its perfectly fine).

Ingesting Palo Alto logs from an external organization into our on-prem Splunk instance- best practices?

universal forwarder

Splunk Observability Cloud | Customer Survey!

Happy CX Day, Splunk Community!

.conf23 | Get Your Cybersecurity Defense Analyst Certification in Vegas