I am standing up Panorama and not sure where to send logs. I currently have my firewalls sending logs to Splunk via a syslog server, and I want to keep getting logs into Splunk. Is there a best practice or recommended config?
Option 1. Send firewall logs to Panorama and then from Panorama to Splunk
Option 2. Configure firewalls to send to both Panorama and Splunk
Option 3. something else?
I would use Option 1 if all your devices are in close proximity. If your devices are segmented by latency/country border I would use a HF from Splunk to compress/encrypt and then send it to your Splunk server.
Remember to configure your stanzas in your inputs.conf correctly
sourcetype = pan:firewall
index = security
disabled = false
no_appending_timestamp = true (only if udp)
acceptFrom = x.x.x.x/x, x.x.x.x/x
I wouldn't say that any one method is technically better than the other. The benefit of sending the logs directly to Panorama and then forwarding those logs to Splunk from Panorama, rather than forwarding to Splunk directly from the firewalls, is simply that you have less log forwarding happening directly on the firewall. Depending on how you've spec'd the firewalls that has a lot of benefit and can help make sure that logs make it off the box successfully.
On the flip side of that if something happens to your Panorama instance or the firewall simply loses that connection, you still have access to those logs in one centralized location without having to log directly into the box in question. So you have this trade-off where option 1 looks really appealing, but can also lead to issues during a Panorama outage if one was to ever happen.
Log forwarding, especially depending on what you want/need in Splunk, really isn't that resource intensive on the firewall side. So if you have say a SOC who really needs those threat or URL logs to show up in Splunk with everything else they're collecting, it would probably be worth having the firewalls sending those logs directly to Splunk themselves in addition to sending them to Panorama. You're cutting out that Panorama dependency that would otherwise be an additional outage point.
So Option 2 sending to both Splunk and Panorama is feasible and not a strain on the firewalls? If so, then this is the option I'm leaning toward since it would help provide another layer of redundancy for log shipping.
It's absolutely feasible and something that quite a lot of clients do. If that's what you're looking to do, I would enable it and monitor for any failures in the logs to make sure that you aren't trying to push too many logs, but it should be perfectly fine.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!