I am configuring palo alto firewall and splunk to get data into splunk cloud from firewall. I configured firewall with syslog server and syslog server is getting the data from firewall working properly. I am using splunk enterprise as heavy forwarder . just want to ask you gyzz, is it correct approah and how can i configure splunk enterprise as heavy forwarder. or do i need to configure syslog more like creating files (.conf) so it an direct logs. we are using same syslog server for other logs like cisco and that is already configure and going data to splunk cloud.
This is DEFINITELY the wrong approach. Either do this:
http://www.georgestarcher.com/splunk-success-with-syslog/
Or this:
https://conf.splunk.com/files/2017/slides/to-hec-with-syslog-scalable-aggregated-data-collection-in-...
Or best of all, this:
https://www.splunk.com/en_us/blog/tips-and-tricks/splunk-connect-for-syslog-turnkey-and-scalable-sys...
You don't necessarily need the Heavy Forwarder. Would install the UF on the syslog server, and download the UF app from Splunk cloud. This will send all your syslog data to Splunk cloud in an encrypted format.
Since you've data being sent by the same syslog server to Splunk cloud, one of the above is already done.
What you need to do is to create a new app within /opt/splunk/etc/apps which will monitor the palo alto logs.
Look at the monitor stanza
https://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf#inputs.conf.example
Would also check if any of the Palo Alto apps needs to be installed on Splunk cloud to parse the data correctly:
https://splunkbase.splunk.com/apps/#/search/Palo%20Alto/
thank you, that was helpful for me. One more question is that i have one more Palo alto firewall for same organization so should i do it with APIs or follow the similar process. Please let me know.
Thnaks!
But my manager wants me to configure by using API s . Can you please help me. It is totally different palo alto firewall for another department
@rajveer005 have you looked into this?
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClGwCAK
Yes, its quite helpful but i wonder is it applicable for splunk cloud as it is mentioned on premises of splunk enterprise
If you must go with the API, then you will need to install it on a HF.
so: FW <--- (install TA which uses API) HF ---> Splunk Cloud
The syslog option is the best solution:
FW ---> Syslog (install UF with Splunk cloud config) --> Splunk Cloud
Can you please explain the APIs in detail like the overview and working environment. How it will work and do i need the API all from palo alto and splunk cloud.
No issues with how it is currently being done. So stick to the standardised approach where the syslogs are collected to the syslog server and update the document.