You can verify the log reached Splunk by going to the Splunk for Palo Alto Networks app, click Search in the navigation bar, and enter: You don't have to commit the change for the syslog to be produced-any uncommitted change to the configuration produces a log. ![]() ![]() Make any configuration change and the firewall produces a config event syslog. Go to Device > Log Settings > Config and commit. The easiest way to test that everything is working is to configure the firewall to syslog all config events. Other configurable syslog events are under Device > Log Settings. Security policy rules are under Policies > Security. Or configure the firewall to log config or system events to the Splunk syslog server. For example, configure a security policy rule with a Log Forwarding Profile that uses the Splunk syslog server. Configure a logging mechanism on the firewall to use the syslog server.The logs must be in the default format or Splunk won't parse them. Configure the details for the Splunk server, including the UDP port (5514, for this example).Go to Device > Server Profiles > Syslog.Copy and paste the key into the WildFire API Key (see example).Īfter completing setup on the Splunk site, set up the Palo Alto Networks device to send syslogs to Splunk. Note: After logging into the WildFire Portal for WildFire subscribers, access the WildFire API key under the account. Add the appropriate username/password credentials for the Palo Alto Networks firewall and the WildFire API key.Go to Apps > Splunk for Palo Alto Networks.If you don't want to use these extra features, skip the setup screen by clicking Save. These credentials are stored in Splunk using encryption the same way other Splunk credentials are stored. The WildFire API is required only for WildFire subscribers who want Splunk to index WildFire analysis reports from the cloud when a malware sample is analyzed. You need the credentials only if you want to use the custom commands pantag, panblock, and panupdate. The first time running the app from the WebUI, a setup screen displays. Reset the Splunk service on the server running the Splunk for Palo Alto Networks app.Īfter configuring the data input, access and configure the app.For UDP syslogs, make sure to include the line no_appending_timestamp = true. In the nf file, add the following configuration. ![]() $SPLUNK_HOME/etc/apps/SplunkforPaloAltoNetworks/local/.Note: See the "Configuration file precedence" section in the Splunk Enterprise Admin Manual for more on the way precedences are checked on Splunk. Check the nf in the following directories: TCP and SSL syslogs are available in PAN-OS 6.0 and later.Ĭheck the settings in the Splunk nf file and verify that no other configuration is using the UDP or TCP port you chose for syslogs from the firewall. The Palo Alto Networks Next-generation Firewall uses udp/514 for syslog by default, but since this port is often used by other syslogs, we'll use udp/5514 in our examples. If there are separate indexers and search head, install the application on all of them. Depending on the OS of the server that's running Splunk, follow the installation recommendations from the Splunk website. Note: Download Splunk for Palo Alto Networks directly from the Splunk site at. This document describes how to configure Splunk for Palo Alto Networks, and covers most problems in configuring Splunk for the first time. Splunk for Palo Alto Networks is a security reporting and analysis tool, and is the result of a collaboration between Palo Alto Networks and Splunk. All documentation is now available at Overview
0 Comments
Leave a Reply. |