Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Ingesting Palo Alto logs from an external organization into our on-prem Splunk instance- best practices?

adnankhan5133
Communicator
‎02-09-2022 08:40 PM

Hello,

We are in the process of ingesting Palo Alto logs from a separate organization’s network into our instance of Spunk Enterprise Security (on-prem) which resides on another network. Connectivity between both of our organizations is facilitated through an interconnection provided by a product called Equinix. This way, data and file interchanges between our organizations are secure over the internet.

I’m trying to determine a performance and cost-efficient method of ingesting the other organization’s logs into our network. We’re ingesting our internal organization Palo Alto FW logs by forwarding these to a syslog server, and they’re sent to our Spunk indexers from there. How different would the log ingestion mechanism for an external org’s Palo Alto logs be?

Any help would be greatly appreciated!

Labels (1)
Labels
Tags (2)
0 Karma
Reply

VatsalJagani
SplunkTrust
SplunkTrust
‎02-09-2022 09:59 PM

The best practice is:

1. Send logs from Palo Alto to Syslog server on UDP.

2. On Syslog server put those logs in the files.

3. Monitor those files from monitor input with UF (make sure to use UF for the performance of reasons as that will use much less bandwidth).

4. Send data from there to Indexers (some people prefer to use HF in between the UF and Indexers in this scenario, but if you are taking all security measures then you can send directly to Indexer its perfectly fine).

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Observability Simplified: Combining User Experience, Application Performance & ...

Tech Talk Observability Simplified: Combining User Experience, Application Performance & Network ...

Event Series May & June: From Network Visibility to Service Intelligence

Unifying the Network: Moving from Alert Noise to Service Intelligence with Splunk ITSI In today’s hybrid ...