- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- How to blacklist an IP from being indexed for Splu...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
We have some PA devices in our network sending data to our master indexer over UDP:515. This data is being indexed fine, but one of our networks that's monitored is a guest network, and is sending a lot of extra information that we're looking to not index.
I've attempted to set a transform and property, but all that did was completely eliminate all new data, so I reverted that change.
Here's the inputs.conf:
[udp//515]
connection_host = ip
sourcetype= pan_log
no_appending_timestamp = true
index = pan_logs
The transforms.conf and props.conf exist in the defaults directory and are the defaults that came with the app.
I know you can modify all of the dashboards to include an exception to not include the results in searches, but the requester is asking to modify the data before it's indexed.
Anyone have any ideas on how to do this?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There is a setting within PA that lets you exclude traffic from these searches. Our network guys figured this one out. No need to do anything from the Splunk side.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There is a setting within PA that lets you exclude traffic from these searches. Our network guys figured this one out. No need to do anything from the Splunk side.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
While I'm familiar with how to exclude specific log types in PA from being sent to splunk (Threat, informational, etc) - when you say "There is a setting within PA that lets you exclude traffic from these searches..", is that what you are referring to? If not, any details on excluding specific traffic (ie we would like to exclude ipsec-to-lan and lan-to-ipsec traffic without using the nullQueue if possible.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I would not recommend sending syslog from Palto Alto straight to splunk. I would send it to rsyslog or syslog-ng box. Filter as you want for what gets written to files and use the Universal forwarder to pick up those files and send to the indexers. Then you also get benefits of indexer load balancing, not losing events while restarting Splunk etc.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In principle I agree with you. However this is the setup we have right now and I don't think I can get the other teams to readily convert to it.
Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...
Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...
Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...
