All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

With the Palo Alto Networks Add-on for Splunk, how do you change host of events received from Palo Alto firewalls through Panorama?

stefan_ghita
Explorer
‎10-04-2018 07:15 AM

Hello,

I'd like to hear your input on the following issue.

We are trying to index events from our Palo Alto firewalls. The firewalls forward the logs to a Panorama, the Panorama sends the logs to a syslog collector which puts them to a folder with the name of the sending device (the Panorama). Our universal forwarder (UF) is monitoring the syslog collector and for every file monitored, it sets the host as the name of the folder it is in and the source type pan:log. The result is that all our logs (from all the firewalls and the Panorama) are indexed with the MetaData:Host of the Panorama. So we want to rename the MetaData:Host with the value from the raw event (every log contains the hostname of the device that generated it), but we are having a hard time doing that.

The problem is that there are 4 types of logs (traffic, threat, system, config) that leave the UF with the same sourcetype (pan:log). We cannot extract the hostname with a simple regex from this sourcetype because each type of log has the hostname in a different place.

The Palo Alto Add-On (we have version 6.0.2) has the task of renaming the source type based on the event (from pan:logs to pan:traffic, pan:threat, pan:system and pan:config). It would be really easy to put a transform on these source types but we can't do that because the events cannot pass twice through the parsing queue.

The only options I can think of are the following:

—Put a transform on pan:log with a really complex regex that extracts the hostname based on the log type

—Customize the logs to have the hostname in the same place and extract them with a simple regex. (But in this case we would have to modify the extracts and also customize the logs for every new firewall that we get).

Anybody out there that know a better solution that the ones stated above?

Thank you.

0 Karma
Reply

harsmarvania57
Ultra Champion
‎10-05-2018 01:00 AM

Hi @stefan_ghita,

As you mentioned that Panorama is sending logs to syslog server, can't you configure your syslog server to put different firewall logs in different directory For example: /opt/firewall-1/paloalto-1 , /opt/firewall-2/paloalto-2 etc. and then do Universal Forwarder config as below :

inputs.conf

[monitor:///opt/firewall-1/paloalto-1]
host_segment = 2
sourcetype = pan:log

[monitor:///opt/firewall-2/paloalto-2]
host_segment = 2
sourcetype = pan:log

With above configuration universal forwarder ingest /opt/firewall-1/paloalto-1 with hostname firewall-1 and /opt/firewall-2/paloalto-2 with hostname firewall-2

The way you are thinking to use REGEX to read each and every event of different type of network device logs and then do props and transforms to assign hostname will generate more load on your splunk server if you have millions of events generating by those devices.

0 Karma
Reply

stefan_ghita
Explorer
‎10-09-2018 03:49 AM

Thanks for your response @harsmarvania57.

We are currently doing that, but the syslog server sees all the logs as coming from the Panorama and is creating only one folder (for the Panorama). The logs are indeed coming only from Panorama, but their original source is different (other firewalls in our infrastructure). Is there a way to configure syslog-ng to put logs in different folders based on the content of the message? And, if there is, I'll have the same problem with the 4 log types.

0 Karma
Reply

harsmarvania57
Ultra Champion
‎10-09-2018 04:24 AM

Yes you can filter logs on syslog-ng which you are receiving from Panorama, please check https://www.syslog-ng.com/technical-documents/doc/syslog-ng-open-source-edition/3.16/administration-... for syslog-ng configuration to filter logs to different log files.

0 Karma
Reply

493669
Super Champion
‎10-04-2018 11:14 PM

Hi @stefan_ghita ,
If logs are forwarded from universal forwarder to heavy forwarder on udp-514 then in Heavy forwarder add below stanza in inputs.conf -

[udp://514]
connection_host = ip
0 Karma
Reply

stefan_ghita
Explorer
‎10-09-2018 03:52 AM

Hi @493669,

The logs are forwarded from UF to indexers on 9997.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...