All Apps and Add-ons

How to blacklist an IP from being indexed for Splunk for Palo Alto Networks?

deddleman
Explorer

Hello,

We have some PA devices in our network sending data to our master indexer over UDP:515. This data is being indexed fine, but one of our networks that's monitored is a guest network, and is sending a lot of extra information that we're looking to not index.

I've attempted to set a transform and property, but all that did was completely eliminate all new data, so I reverted that change.

Here's the inputs.conf:
[udp//515]
connection_host = ip
sourcetype= pan_log
no_appending_timestamp = true
index = pan_logs

The transforms.conf and props.conf exist in the defaults directory and are the defaults that came with the app.

I know you can modify all of the dashboards to include an exception to not include the results in searches, but the requester is asking to modify the data before it's indexed.

Anyone have any ideas on how to do this?

0 Karma
1 Solution

deddleman
Explorer

There is a setting within PA that lets you exclude traffic from these searches. Our network guys figured this one out. No need to do anything from the Splunk side.

View solution in original post

deddleman
Explorer

There is a setting within PA that lets you exclude traffic from these searches. Our network guys figured this one out. No need to do anything from the Splunk side.

topry
New Member

While I'm familiar with how to exclude specific log types in PA from being sent to splunk (Threat, informational, etc) - when you say "There is a setting within PA that lets you exclude traffic from these searches..", is that what you are referring to? If not, any details on excluding specific traffic (ie we would like to exclude ipsec-to-lan and lan-to-ipsec traffic without using the nullQueue if possible.

0 Karma

starcher
Influencer

I would not recommend sending syslog from Palto Alto straight to splunk. I would send it to rsyslog or syslog-ng box. Filter as you want for what gets written to files and use the Universal forwarder to pick up those files and send to the indexers. Then you also get benefits of indexer load balancing, not losing events while restarting Splunk etc.

deddleman
Explorer

In principle I agree with you. However this is the setup we have right now and I don't think I can get the other teams to readily convert to it.

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...