Generating alerts using Palo Alto

m_tanaka · ‎10-15-2024

I am from Japan. Sorry for my poor English and lack of knowledge about Splunk.

I received a Splunk Enterprise Trial License and would like to import Palo Alto logs and issue alerts (via email, etc.), but I am not sure how to do this (manually importing past logs succeeded). I wonder if past logs can issue alert.

About our environment, I set up all-in-one virtual server in our FJ Cloud (Fujitsu Cloud)is one virtual server and Splunk is running here. There are no forwarders installed on other servers.

I would be more than happy if you could let me know. Thank you for your support.

m_tanaka · ‎10-20-2024

The palo alto server transmit the syslog with the port 5514. (514 port was in use)

And I search with the query "source="udp:5514"".

Is there any problem in the query ?

dural_yyz · ‎10-21-2024

What is your Splunk configuration to listen for UDP 5514?

m_tanaka · ‎10-21-2024

Thank you for your reply.

UDP 514 port was in use. I have no idea why it is used by another process. So, I needed to use another port to receive packets from palo alto server.

However I solved this problem. The firewalld daemon was blocking the packets coming in Splunk. I stopped the firewalld, and could search the palo alto logs.

I go for the next step of issuing alerts from these logs.

PickleRick · ‎10-18-2024

There is an add-on for Palo Alto solutions.

https://splunkbase.splunk.com/app/7523

It is Splunk-supported so it should have a pretty decent manual.

m_tanaka · ‎10-20-2024

Thank you for your reply.

There are two add-ons "Palo Alto Networks Add-on" and "Splunk Add-on for Palo Alto Networks".

Is there okay to go with either one ?

The video I referred on Youtube was about "Palo Alto Networks Add-on", and search result was displayed successfully.

I confirmed that the splunk server could received the syslog packets successfully using tshark.

what is the problem in displaying the search results.

PickleRick · ‎10-20-2024

No. One is written by Palo Alto themselves - https://splunkbase.splunk.com/app/2757

It's the older one and it's now deprecated.

The new one is written and supported by Splunk - https://splunkbase.splunk.com/app/7523

Go for this one.

As a rule of thumb if you have a choice between a Splunk-supported add-on and a third-party one use the Splunk-supported one.

m_tanaka · ‎10-21-2024

Thank you for your reply.

I will choose the Splunk-supported add-on.

PickleRick · ‎10-21-2024

The upside to the Splunk-supported add-ons is that they have decent documentation. In this case it's

https://splunk.github.io/splunk-add-on-for-palo-alto-networks/

m_tanaka · ‎10-21-2024

Thank you.

I will use it as a reference.

dural_yyz · ‎10-17-2024

Palo introduced HTTP Event stream in OS 8.x, so if you have anything recent install it should support that as outbound log streaming. Alternatively the logs can be exported over syslog but becomes infinitely more difficult ingest if you have a novice Splunk experience.

Once you can export from Palo the HTTP Event stream then you need to setup your Splunk instance to collect HEC/HTTP Event Collection and there is a lot of documentation on how to do that.

Warning: Palo can generate a tremendous amount of logs and almost certainly exceeds your trial license capacity.

m_tanaka · ‎10-18-2024

Thank you for your reply.

Our department's policy seems to be to use exporting syslog and forwarding...

I referred to this video

https://www.youtube.com/watch?v=wS5-jMS080s

and I'm trying to monitor syslog over Splunk. However no events displayed on Splunk search.

I used Wireshark (tshark), and then confirmed that Splunk server could receive syslog packets.

Is there anything else that I should check ?

Generating alerts using Palo Alto

troubleshooting

using Splunk Enterprise

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

Monitoring Amazon Elastic Kubernetes Service (EKS)