Splunk Dev
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

splunk cloud

raje1
Engager
‎03-09-2020 09:26 AM

I am configuring palo alto firewall and splunk to get data into splunk cloud from firewall. I configured firewall with syslog server and syslog server is getting the data from firewall working properly. I am using splunk enterprise as heavy forwarder . just want to ask you gyzz, is it correct approah and how can i configure splunk enterprise as heavy forwarder. or do i need to configure syslog more like creating files (.conf) so it an direct logs. we are using same syslog server for other logs like cisco and that is already configure and going data to splunk cloud.

0 Karma
Reply

anmolpatel
Builder
‎03-09-2020 08:34 PM

You don't necessarily need the Heavy Forwarder. Would install the UF on the syslog server, and download the UF app from Splunk cloud. This will send all your syslog data to Splunk cloud in an encrypted format.

Since you've data being sent by the same syslog server to Splunk cloud, one of the above is already done.
What you need to do is to create a new app within /opt/splunk/etc/apps which will monitor the palo alto logs.
Look at the monitor stanza
https://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf#inputs.conf.example

Would also check if any of the Palo Alto apps needs to be installed on Splunk cloud to parse the data correctly:
https://splunkbase.splunk.com/apps/#/search/Palo%20Alto/

0 Karma
Reply

raje1
Engager
‎03-10-2020 06:58 AM

thank you, that was helpful for me. One more question is that i have one more Palo alto firewall for same organization so should i do it with APIs or follow the similar process. Please let me know.

Thnaks!

0 Karma
Reply

rajveer005
Engager
‎03-10-2020 04:41 PM

But my manager wants me to configure by using API s . Can you please help me. It is totally different palo alto firewall for another department

0 Karma
Reply

anmolpatel
Builder
‎03-10-2020 05:20 PM

@rajveer005 have you looked into this?
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClGwCAK

0 Karma
Reply

rajveer005
Engager
‎03-10-2020 05:29 PM

Yes, its quite helpful but i wonder is it applicable for splunk cloud as it is mentioned on premises of splunk enterprise

0 Karma
Reply

anmolpatel
Builder
‎03-10-2020 08:50 PM

If you must go with the API, then you will need to install it on a HF.
so: FW <--- (install TA which uses API) HF ---> Splunk Cloud

The syslog option is the best solution:
FW ---> Syslog (install UF with Splunk cloud config) --> Splunk Cloud

0 Karma
Reply

rajveer005
Engager
‎03-11-2020 07:14 AM

Can you please explain the APIs in detail like the overview and working environment. How it will work and do i need the API all from palo alto and splunk cloud.

0 Karma
Reply

anmolpatel
Builder
‎03-10-2020 02:56 PM

No issues with how it is currently being done. So stick to the standardised approach where the syslogs are collected to the syslog server and update the document.

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...