Splunk Enterprise
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Generating alerts using Palo Alto

m_tanaka
Explorer
‎10-15-2024 06:58 PM

I am from Japan. Sorry for my poor English and lack of knowledge about Splunk.

I received a Splunk Enterprise Trial License and would like to import Palo Alto logs and issue alerts (via email, etc.), but I am not sure how to do this (manually importing past logs succeeded). I wonder if past logs can issue alert.

About our environment, I set up all-in-one virtual server in our FJ Cloud (Fujitsu Cloud)is one virtual server and Splunk is running here. There are no forwarders installed on other servers.

I would be more than happy if you could let me know. Thank you for your support.

Labels (2)
0 Karma
Reply

m_tanaka
Explorer
‎10-20-2024 06:25 PM

The palo alto server transmit the syslog with the port 5514. (514 port was in use)

And I search with the query "source="udp:5514"".

Is there any problem in the query ?

0 Karma
Reply

dural_yyz
Motivator
‎10-21-2024 07:48 AM

What is your Splunk configuration to listen for UDP 5514?

0 Karma
Reply

m_tanaka
Explorer
‎10-21-2024 05:30 PM

Thank you for your reply.

UDP 514 port was in use. I have  no idea why it is used by another process. So, I needed to use another port to receive packets from palo alto server.

However I solved this problem. The firewalld daemon was blocking the packets coming in Splunk. I stopped the firewalld, and could search the palo alto logs.

I go for the next step of issuing alerts from these logs.

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎10-18-2024 01:31 PM

There is an add-on for Palo Alto solutions.

https://splunkbase.splunk.com/app/7523

It is Splunk-supported so it should have a pretty decent manual.

0 Karma
Reply

m_tanaka
Explorer
‎10-20-2024 05:55 PM

Thank you for your reply.

There are two add-ons "Palo Alto Networks Add-on" and "Splunk Add-on for Palo Alto Networks".

Is there okay to go with either one ?

The video I referred on Youtube was about "Palo Alto Networks Add-on", and search result was displayed successfully.

I confirmed that the splunk server could received the syslog packets successfully using tshark.

what is the problem in displaying the search results.

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎10-20-2024 11:23 PM

No. One is written by Palo Alto themselves - https://splunkbase.splunk.com/app/2757

It's the older one and it's now deprecated.

The new one is written and supported by Splunk - https://splunkbase.splunk.com/app/7523

Go for this one.

As a rule of thumb if you have a choice between a Splunk-supported add-on and a third-party one use the Splunk-supported one.

0 Karma
Reply

m_tanaka
Explorer
‎10-21-2024 01:03 AM

Thank you for your reply.

I will choose the Splunk-supported add-on.

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎10-21-2024 02:10 AM

The upside to the Splunk-supported add-ons is that they have decent documentation. In this case it's

https://splunk.github.io/splunk-add-on-for-palo-alto-networks/

0 Karma
Reply

m_tanaka
Explorer
‎10-21-2024 02:34 AM

Thank you.

I will use it as a reference. 

0 Karma
Reply

dural_yyz
Motivator
‎10-17-2024 07:57 AM

Palo introduced HTTP Event stream in OS 8.x, so if you have anything recent install it should support that as outbound log streaming.  Alternatively the logs can be exported over syslog but becomes infinitely more difficult ingest if you have a novice Splunk experience.

Once you can export from Palo the HTTP Event stream then you need to setup your Splunk instance to collect HEC/HTTP Event Collection and there is a lot of documentation on how to do that.

Warning: Palo can generate a tremendous amount of logs and almost certainly exceeds your trial license capacity.

0 Karma
Reply

m_tanaka
Explorer
‎10-18-2024 01:30 AM

Thank you for your reply. 

Our department's policy seems to be to use exporting syslog and forwarding...

I referred to this video

https://www.youtube.com/watch?v=wS5-jMS080s

and I'm trying to monitor syslog over Splunk. However no events displayed on Splunk search.

I used Wireshark (tshark), and then confirmed that Splunk server could receive syslog packets.

Is there anything else that I should check ?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...