topic Re: Ingest Palo Alto logs to SIEM tool (Splunk) using Eventhub in VM-Series in the Public Cloud

Ingest Palo Alto logs to SIEM tool (Splunk) using Eventhub

BilalMohd — Tue, 11 Jun 2024 08:01:21 GMT

Hi All,

We're looking into some sort of cloud-based solution to route our Palo Alto firewall logs to across our customer base. I was intrigued by the Event Hubs (https://azure.microsoft.com/en-us/products/event-hubs/) solution as a way to push logs to it and then ingest them from there into our SIEM (Splunk). Is there a way, we can directly push logs from Palo Alto VM-series firewalls in Azure to Eventhub and then ingest it to Splunk from there? I have tried to search for documentation around it but nothing of help as such. Can someone please help me here? We need to setup something like this (attached in screenshot). @BPry @TomYoung @OtakarKlier @lmori

#PaloAlto #Logging #EventHub #SEIM #Splunk

Do I need to setup AKS with fluentd in between firewalls and Eventhub before pushing the logs to Eventhub?

Re: Ingest Palo Alto logs to SIEM tool (Splunk) using Eventhub

OtakarKlier — Wed, 12 Jun 2024 14:42:36 GMT

Hello,

Not familiar with either Splunk or EventHub, however the Palo Alto can send its syslog's to any destination. If Eventhub can accept syslogs, then I cant see why it wont send there. You can also send the logs to several destinations, ie EventHub and Splunk from the PAN. Not sure what the end goal is to sent ot both.

Hope this helps.

Regards,

Re: Ingest Palo Alto logs to SIEM tool (Splunk) using Eventhub

PavelK — Mon, 17 Jun 2024 02:26:49 GMT

Hello @BilalMohd

Based on documentation Azure Event Hubs supports streaming of incoming data with HTTPS. Palo Alto supports log forwarding from Firewalls over HTTPS: Forward Logs to an HTTP/S Destination. The part to send logs from Azure Event Hubs is tricky. I came across this blog post: https://community.splunk.com/t5/Getting-Data-In/How-to-send-data-to-Splunk-from-Azure-Event-Hub/td-p/618022 which indicates this might be possible.

Kind Regards

Pavel

Re: Ingest Palo Alto logs to SIEM tool (Splunk) using Eventhub

KateWinslet1 — Fri, 28 Jun 2024 19:01:58 GMT

To route Palo Alto firewall logs to Splunk via Azure Event Hub, configure the firewall to send logs to an Azure Function or Logic App, which forwards them to Event Hub. Install the Splunk Add-on for Microsoft Cloud Services and configure it to ingest logs from Event Hub, enabling efficient log management and analysis in Splunk.

Re: Ingest Palo Alto logs to SIEM tool (Splunk) using Eventhub

BrettLee1 — Mon, 28 Oct 2024 13:39:32 GMT

Configure Palo Alto to send logs to Azure Event Hub via an Azure Function or Logic App. Then, install the Splunk Add-on for Microsoft Cloud Services to ingest logs from Event Hub for efficient analysis in Splunk.