Hi all! I've always had a pretty straight forward approach to bringing in my Palo logs straight to an on-prem Search Head / Indexer just via port 514 / syslog. That's a pretty straight forward setup. I'm trying to set up the more recommended way, now that my Splunk Search Head / Indexer is hosted at AWS. SO, I set up a Universal Forwarder on an Ubuntu Server on the same network as my Panorama instance and am sending the Panorama syslog feed to the UF - running syslog-ng. I see those log files coming in and saving to /var/log/udp514.log. I set up the UF to connect as a forwarder to the Splunk instance on port 9997 and have added /var/log/514.log to be monitored via "./splunk/add monitor /var/log/udp514.log". I see that logging on the UF and then coming in to Splunk, but it is all logging to the main index. Logically I know that either on the UF or on the Splunk indexer I need to use the PA app to tell it to log to my paloalto index, but I don't know where. I can't seem to add a data input to also listen on 9997. That seems to be a conflict and my normal method of looking for logs on port 514 doesn't apply anymore... So how do I tell my Splunk indexer to look at the stream coming in on 9997 and move the logs associated with Palo Alto over where the app is looking for it (index=paloalto)? I'll also be logging much more to the UF soon as well...
... View more