After a recent failure HD on my normally active firewall, it appears I'm going to lose close on 12 months of logs because Palo Alto has no defined process to get the logs off a failed hard drive (where the log partition is still accessible) onto the replaced drive.
Yes, I have tried scp log export/import - I've swapped the old HD in and gotten it to the point I can get an export, but I can't re-import it.
Anyway, that's not the point of this.
My boss wanted an alternate solution to keeping the logs on the device, so as to avoid this in future - Panorama of course came up, but the pricing for it is *completely* ridiculous, so it's out of the question.
Does anyone have suggestions to an alternate, external log collection point which can give me meaningful data/reports? I don't mind if it costs a bit - but my boss baulked at the much higher amount we were quoted for the VM version of Panorama, so I'd like to keep the costs down to maybe $2-3k if I can.
I've heard Splunk mentioned, but a quick perusal looks like it's *way* overkill for what I want.
Anyone else got a solution/suggestion?
I would say that if you are looking for long term archive referral of firewall information you do want a tool on the caliber of Splunk security or another professional SIEM platform like Qradar. These tools go beyond basic syslog storage to allow you to correlate and find the information you need when doing an investigation or troubleshooting.
The other advantage they have is they scale well and allow the correlations to server, switch and router infrastructure in addition to the firewalls. And they are easy to expand storage for longer archive terms as needed.
Splunk also offers a basic free version that supports 500 meg logging per day that would cover the syslog fundamentals if you don't want to go for a SIEM solution.
Thanks for the reply.
I think QRadar is probably out of the question - looking at the US prices I flinched!
My biggest issue with Splunk is that it appears to be more than I need, and I'm not sure how it integrates with the Palo Alto at all - but I'm also not sure how else I would go about getting log storage and reporting off the devices themselves - yes, I can dump it to Syslog - but getting meaningful analysis out of a Syslog server has always been an exercise in frustration.
Have you actually implemented Splunk in conjunction with the Palo Alto at all, and are able to say how well it works compared to the on-the-box reporting?
I have Splunk implemented in my lab taking a syslog feed from Panorama that's managing 3 PA firewalls. Palo Alto Networks has a really nice FREE Splunk App to present and analyze the data sent to Splunk from the PA firewalls or in my case, Panorama.
I hope this helps.
you can use any syslog server/service you want. enable on each policy the log forwarding to the syslog service and modify also the Log Settings to the syslog server.
we are using arcsight as syslog endpoint, because we creating some special reports and analyses.
I've used both Qradar and Splunk and both are strong platforms. I think that Qradar is stronger in customizing reports and fields for security. But Splunk is stronger in ease of use for creating reports on the fly.
Splunk does have an initiative to work more tightly with PA logging. They were an active participant to show the tools they have developed at Ignite this year and they do look good. But I have not used them in production.
I can't speak to implementation or cost, as I've only been a user/consumer of the services not the original installer.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!