Hello,
We have some PA devices in our network sending data to our master indexer over UDP:515. This data is being indexed fine, but one of our networks that's monitored is a guest network, and is sending a lot of extra information that we're looking to not index.
I've attempted to set a transform and property, but all that did was completely eliminate all new data, so I reverted that change.
Here's the inputs.conf:
[udp//515]
connection_host = ip
sourcetype= pan_log
no_appending_timestamp = true
index = pan_logs
The transforms.conf and props.conf exist in the defaults directory and are the defaults that came with the app.
I know you can modify all of the dashboards to include an exception to not include the results in searches, but the requester is asking to modify the data before it's indexed.
Anyone have any ideas on how to do this?
There is a setting within PA that lets you exclude traffic from these searches. Our network guys figured this one out. No need to do anything from the Splunk side.
There is a setting within PA that lets you exclude traffic from these searches. Our network guys figured this one out. No need to do anything from the Splunk side.
While I'm familiar with how to exclude specific log types in PA from being sent to splunk (Threat, informational, etc) - when you say "There is a setting within PA that lets you exclude traffic from these searches..", is that what you are referring to? If not, any details on excluding specific traffic (ie we would like to exclude ipsec-to-lan and lan-to-ipsec traffic without using the nullQueue if possible.
I would not recommend sending syslog from Palto Alto straight to splunk. I would send it to rsyslog or syslog-ng box. Filter as you want for what gets written to files and use the Universal forwarder to pick up those files and send to the indexers. Then you also get benefits of indexer load balancing, not losing events while restarting Splunk etc.
In principle I agree with you. However this is the setup we have right now and I don't think I can get the other teams to readily convert to it.