All Apps and Add-ons

My end users want to be able to send url filtering logs to a different index than the rest of the palo alto logs.

jmantor
Path Finder

Can this be incorporated into the TA ?

0 Karma

jmantor
Path Finder

OK well I guess that can be done in some environments, but, I have a difficult enough time getting my network people to load balance one port on my syslog cluster. Multiple is not something we can do right now. Can the TA re-sourcetype url filtering logs? Maybe paloalto:urlfiltering ?

0 Karma

btorresgil
Builder

You can modify the index-time fields by regex matching for url logs and altering the sourcetype or index. This would be a configuration on your Splunk server using Splunk standard props.conf and transforms.conf. It wouldn't be added to the TA itself, just configured on your Splunk. Would that be preferable for your environment?

0 Karma

jmantor
Path Finder

Yes. I think props & transforms are the way to do this. I'd love to see those props and transforms included in the TA in the ./default subfolder giving me the ability to enable them in ./local and then push the TA to my syslog heavies, via our deployment server.

0 Karma

btorresgil
Builder

Hello,

This is possible starting in PAN-OS 8.0 with the existing TA. Spunk separates logs into different indexes per data input. So you need to create a different data input with a different port for your URL log index, then on the firewall, configure URL logs to go to this new port.

Previous to PAN-OS 8.0 you could separate logs to different ports by severity only. But in 8.0 and higher you can separate logs by severity and type, so you can send just URL logs to a specific port tied to your URL log index.

-Brian

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...