Splunk Dev
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

splunk cloud

raje1
Engager
‎03-09-2020 09:26 AM

I am configuring palo alto firewall and splunk to get data into splunk cloud from firewall. I configured firewall with syslog server and syslog server is getting the data from firewall working properly. I am using splunk enterprise as heavy forwarder . just want to ask you gyzz, is it correct approah and how can i configure splunk enterprise as heavy forwarder. or do i need to configure syslog more like creating files (.conf) so it an direct logs. we are using same syslog server for other logs like cisco and that is already configure and going data to splunk cloud.

0 Karma
Reply

anmolpatel
Builder
‎03-09-2020 08:34 PM

You don't necessarily need the Heavy Forwarder. Would install the UF on the syslog server, and download the UF app from Splunk cloud. This will send all your syslog data to Splunk cloud in an encrypted format.

Since you've data being sent by the same syslog server to Splunk cloud, one of the above is already done.
What you need to do is to create a new app within /opt/splunk/etc/apps which will monitor the palo alto logs.
Look at the monitor stanza
https://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf#inputs.conf.example

Would also check if any of the Palo Alto apps needs to be installed on Splunk cloud to parse the data correctly:
https://splunkbase.splunk.com/apps/#/search/Palo%20Alto/

0 Karma
Reply

raje1
Engager
‎03-10-2020 06:58 AM

thank you, that was helpful for me. One more question is that i have one more Palo alto firewall for same organization so should i do it with APIs or follow the similar process. Please let me know.

Thnaks!

0 Karma
Reply

rajveer005
Engager
‎03-10-2020 04:41 PM

But my manager wants me to configure by using API s . Can you please help me. It is totally different palo alto firewall for another department

0 Karma
Reply

anmolpatel
Builder
‎03-10-2020 05:20 PM

@rajveer005 have you looked into this?
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClGwCAK

0 Karma
Reply

rajveer005
Engager
‎03-10-2020 05:29 PM

Yes, its quite helpful but i wonder is it applicable for splunk cloud as it is mentioned on premises of splunk enterprise

0 Karma
Reply

anmolpatel
Builder
‎03-10-2020 08:50 PM

If you must go with the API, then you will need to install it on a HF.
so: FW <--- (install TA which uses API) HF ---> Splunk Cloud

The syslog option is the best solution:
FW ---> Syslog (install UF with Splunk cloud config) --> Splunk Cloud

0 Karma
Reply

rajveer005
Engager
‎03-11-2020 07:14 AM

Can you please explain the APIs in detail like the overview and working environment. How it will work and do i need the API all from palo alto and splunk cloud.

0 Karma
Reply

anmolpatel
Builder
‎03-10-2020 02:56 PM

No issues with how it is currently being done. So stick to the standardised approach where the syslogs are collected to the syslog server and update the document.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...