Firewalls and Panorama¶
Logging architectures¶
Log Forwarding App for Logging Service forwards syslog to Splunk from the Palo Alto Logging Service using an SSL Connection.
Firewalls can send logs to Splunk directly, or they can send logs to Panorama or a Log Collector which forwards the logs to Splunk.
Panorama sends its own logs to Splunk and can forward logs from firewalls to Splunk.
Syslog to Splunk using the following protocols:
| Product | Syslog Protocols |
|---|---|
| Log Forwarding App for Logging Service | SSL |
| Next-generation Firewall | UDP, TCP, or SSL |
| Panorama | UDP, TCP, or SSL |
Create a data input¶
Use the GUI to create a Data Input, or create it in inputs.conf using the CLI.
Firewalls and Panorama can all send logs to the same data input and port. The Add-on will automatically detect the source of each log and parse it correctly.
Select a sourcetype¶
| Log source | SourceType |
|---|---|
| Only Firewall logs | pan:firewall |
It is preferable to use pan:firewall instead of pan:log because less parsing is required and timestamps will be slightly more accurate.
GUI¶
- In the top right corner, click Settings -> Data inputs
- In the row for UDP or TCP click Add new (SSL Data Inputs can’t be created in the GUI)
- Enter a port number and click Next
- Click Select Sourcetype -> Network & Security -> pan:firewall
- Change the App Context to the Palo Alto Networks Add-on
- Set any other settings such as Method or Index as appropriate for your environment
- Click Review, followed by Submit
You can optionally use a more specific sourcetype than pan:log such as pan:firewall.
CLI¶
Create the inputs.conf in the correct directory:
$SPLUNK_HOME/etc/apps/Splunk_TA_paloalto/local/inputs.conf
The local directory is not created during installation, so you may need to create it. Also, the inputs.conf does not have to be in the Add-on directory, but this is Splunk best practice.
Add the following lines to the inputs.conf file. This examples uses the default syslog port UDP 514. Change the port as needed:
[udp://514]
sourcetype = pan:firewall
no_appending_timestamp = true
index = pan_logs
For UDP logs, no_appending_timestamp setting is required. For TCP or SSL syslogs, remove the no_appending_timestamp setting.
You can optionally set an index to store the logs, or remove the index setting to store logs in the default index.
Configure the Firewall¶
There are two ways to send logs from a Next generation Firewall to Splunk:
- All firewalls syslog directly to Splunk = All firewalls log to Panorama, then Panorama syslogs to Splunk
The Palo Alto Networks syslog documentation describes each option in detail:
Firewall and Panorama syslog to Splunk: https://www.paloaltonetworks.com/documentation/81/pan-os/pan-os/monitoring/use-syslog-for-monitoring/configure-syslog-monitoring
Firewall and Panorama logs must be sent in the default format. Custom formats, CEF, and LEEF format cannot be parsed by the Splunk Add-on.
Test the configuration¶
The easiest way to test that everything is working is to configure the firewall to syslog all config events. On the firewall or Panorama, navigate to the Device tab, then Log Settings. Enable config logs and commit the configuration.
Now, make any configuration change and the firewall to produce a config event syslog. You don’t have to commit the change for the syslog to be produced; any uncommitted change to the configuration produces a log.
After waiting the applicable interval time, check that logs are coming into Splunk by clicking Search at the top and entering this search:
eventtype=pan_config
If Splunk is getting the syslogs from the firewall and parsing them correctly, then you’ll see the config event syslogs show up here from the changes you made on the firewall configuration.
If you don’t see the syslog, verify the steps above or try the Troubleshooting Guide.