Thank you for your reply. I extracted data from palo alto using Splunk Add-on for Palo Alto Networks. Here is an example. Oct 28 13:46:12 192.168.248.2 1 2024-10-28T13:46:12+09:00 PA-VM - - - - 1,2024/10/28 13:46:09,007254000360102,TRAFFIC,start,2818,2024/10/28 13:46:09,192.168.252.100,13.107.5.93,192.168.252.2,13.107.5.93,dmz-to-internet,,,web-browsing,vsys1,DMZ,INTERNET,ethernet1/2,ethernet1/1,SecurityCheck,2024/10/28 13:46:12,497655,1,54084,443,35405,443,0x1400000,tcp,allow,5636,1220,4416,11,2024/10/28 13:46:10,0,computer-and-internet-info,,7423264892787200760,0x0,192.168.0.0-192.168.255.255,United States,,6,5,n/a,0,0,0,0,,PA-VM,from-policy,,,0,,0,,N/A,0,0,0,0,c2a50b1f-ea25-41ce-9c7c-709bde6deec4,0,0,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,2024-10-28T13:46:12.041+09:00,,,internet-utility,general-internet,browser-based,4,"used-by-malware,able-to-transfer-file,has-known-vulnerability,tunnel-other-application,pervasive-use",,web-browsing,no,no,0,NonProxyTraffic,,0,0,0 About the second comment, The risk value is shown in the log. In the above example, the risk value is 4. (the value can be 1 ~ 5)  It is seems to be determined by Palo Alto (Palo Alto Add-on). However I wonder the true high risk communication can be extracted from logs and what action is the cause of the risky communication (by correlation search).  For now, I want to make correlation search from the palo alto log and Windows event log. ... View more

Thank you for your reply. UDP 514 port was in use. I have  no idea why it is used by another process. So, I needed to use another port to receive packets from palo alto server. However I solved this problem. The firewalld daemon was blocking the packets coming in Splunk. I stopped the firewalld, and could search the palo alto logs. I go for the next step of issuing alerts from these logs. ... View more

Thank you. I will use it as a reference.  ... View more

Thank you for your reply. I will choose the Splunk-supported add-on. ... View more

The palo alto server transmit the syslog with the port 5514. (514 port was in use) And I search with the query "source="udp:5514"". Is there any problem in the query ? ... View more

Thank you for your reply. There are two add-ons "Palo Alto Networks Add-on" and "Splunk Add-on for Palo Alto Networks". Is there okay to go with either one ? The video I referred on Youtube was about "Palo Alto Networks Add-on", and search result was displayed successfully. I confirmed that the splunk server could received the syslog packets successfully using tshark. what is the problem in displaying the search results. ... View more

Thank you for your reply.  Our department's policy seems to be to use exporting syslog and forwarding... I referred to this video https://www.youtube.com/watch?v=wS5-jMS080s and I'm trying to monitor syslog over Splunk. However no events displayed on Splunk search. I used Wireshark (tshark), and then confirmed that Splunk server could receive syslog packets. Is there anything else that I should check ? ... View more