Using Splunk for collecting PA logs

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Using Splunk for collecting PA logs

L2 Linker

Hi.

 

We have a PA-5050 running PAN-OS 6.1.5. With the limited disk space we currently only get about 4-5 days worth of traffic log before it starts overwriting older events. We would like to increase this period to at least 6 months. One solution would be to setup Panorama which as a virtual appliance presumably would have unlimited disk space available for logging, but since we only have one PA firewall it would be a bit overkill for us. Another solution that has been suggested to us is to use Splunk and their PA app and forward all logs from the PA-5050 to Splunk. My concern here would be if the user interface in Splunk is very different from what the Monitor tab on the PA-5050 shows us.

 

Does anyone here use the Splunk solution and have any feedback how easy it is to use in everyday monitoring and troubleshooting compared to the bultin log viewer in the PA mgmt GUI?

 

Are there any other systems out there than Panorama and Splunk in use?

1 ACCEPTED SOLUTION

Accepted Solutions

Hi,

 

good point by Benjamin - correlation engine is a new feature in 7.0 and it is supported by Panorama too.

 

I would say, if you have no other log collector, SIM/SEM, whatever - Splunk will do. It is pretty much possible to send logs anywhere with syslog configuration, so you can send to logcollector as well (free linux syslog interface) and to any other logger.

 

IMNHO, if you won't go Panorama, than just do the reporting from the firewall for shorted periods (daily / weekly) and give up on the idea of having the same depth and quality of view in the splunk, use  splunk only for historical / drilldown reviews etc.... how often will you be investigating something that hapenned weeks or months ago, anyways? Those monthly and/or quarterly reports are asked by the management, mostly, nobody normal / technical reads them :))) if they want those, let them budget in Panorama, otherwise, go splunk or other free solution 🙂

 

Regards

 

Luciano

View solution in original post

8 REPLIES 8

L5 Sessionator

Hi,

 

Splunk is a nice solution. Of course, monitor tabs and graphs in Splunk are a different as in the palo but they are usable.

After make a choice between Splunk and Panorama.... big question 🙂

   - From a monitor point of view: If you use to use palo, graphs in Pano are exactly the same ..

   - From a cost point of view: keep in mind that splunk cost is based amout of log per day ... In your cae it can be huge then expensive ...

 

Keep in mind that maybe one day you will have a cluster ... or more palo ..

If you already use Splunk in your company, why not ealse .....

 

Hope help

L2 Linker

As per my experience PAN Panorama VM is excellent option (max support Space 2TB).

 

Splunk is also excellent option, but you can't get reports or feel/look like PAN. 

 

You can try Splunk free version with PAN App (Splunk config for PAN)

https://live.paloaltonetworks.com/t5/Articles/How-to-Configure-Splunk-for-Palo-Alto-Networks/ta-p/54...

 

Sample shots from my test Firewall (PAN) and Splunk (Free Version).

 

Traffic Dashboard

Screen Shot 2015-08-28 at 6.20.23 PM.png

 

Web Activity Dashboard

Screen Shot 2015-08-28 at 6.24.47 PM.png

Screen Shot 2015-08-28 at 6.24.52 PM.png

 

Screen Shot 2015-08-28 at 6.25.03 PM.png

Screen Shot 2015-08-28 at 6.25.10 PM.png

 

L4 Transporter

Personnally, I would go for Panorama with up to 4 TB of storage.This way, you won't have the hassle of maintaining two completely different systems. Also, you will be able to use PAN-OS 7 and get the latest reporting features, while keeping a more stable version on the firewall itself (v6.1).

 

I would not be surprised if Panorama ends up being cheaper than Splunk.

 

Benjamin

Hi,

 

good point by Benjamin - correlation engine is a new feature in 7.0 and it is supported by Panorama too.

 

I would say, if you have no other log collector, SIM/SEM, whatever - Splunk will do. It is pretty much possible to send logs anywhere with syslog configuration, so you can send to logcollector as well (free linux syslog interface) and to any other logger.

 

IMNHO, if you won't go Panorama, than just do the reporting from the firewall for shorted periods (daily / weekly) and give up on the idea of having the same depth and quality of view in the splunk, use  splunk only for historical / drilldown reviews etc.... how often will you be investigating something that hapenned weeks or months ago, anyways? Those monthly and/or quarterly reports are asked by the management, mostly, nobody normal / technical reads them :))) if they want those, let them budget in Panorama, otherwise, go splunk or other free solution 🙂

 

Regards

 

Luciano

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!