Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Ingesting Palo Alto logs from an external organization into our on-prem Splunk instance- best practices?

adnankhan5133
Communicator
‎02-09-2022 08:40 PM

Hello,

We are in the process of ingesting Palo Alto logs from a separate organization’s network into our instance of Spunk Enterprise Security (on-prem) which resides on another network. Connectivity between both of our organizations is facilitated through an interconnection provided by a product called Equinix. This way, data and file interchanges between our organizations are secure over the internet.

I’m trying to determine a performance and cost-efficient method of ingesting the other organization’s logs into our network. We’re ingesting our internal organization Palo Alto FW logs by forwarding these to a syslog server, and they’re sent to our Spunk indexers from there. How different would the log ingestion mechanism for an external org’s Palo Alto logs be?

Any help would be greatly appreciated!

Labels (1)
Labels
Tags (2)
0 Karma
Reply

VatsalJagani
SplunkTrust
SplunkTrust
‎02-09-2022 09:59 PM

The best practice is:

1. Send logs from Palo Alto to Syslog server on UDP.

2. On Syslog server put those logs in the files.

3. Monitor those files from monitor input with UF (make sure to use UF for the performance of reasons as that will use much less bandwidth).

4. Send data from there to Indexers (some people prefer to use HF in between the UF and Indexers in this scenario, but if you are taking all security measures then you can send directly to Indexer its perfectly fine).

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...