For details on cookie usage on our site, read our Privacy Policy
Using Splunk for collecting PA logs
- LIVEcommunity
- Discussions
- General Topics
- Using Splunk for collecting PA logs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Printer Friendly Page
- Mark as New
- Subscribe to RSS Feed
- Permalink
08-28-2015 04:47 AM
Hi.
We have a PA-5050 running PAN-OS 6.1.5. With the limited disk space we currently only get about 4-5 days worth of traffic log before it starts overwriting older events. We would like to increase this period to at least 6 months. One solution would be to setup Panorama which as a virtual appliance presumably would have unlimited disk space available for logging, but since we only have one PA firewall it would be a bit overkill for us. Another solution that has been suggested to us is to use Splunk and their PA app and forward all logs from the PA-5050 to Splunk. My concern here would be if the user interface in Splunk is very different from what the Monitor tab on the PA-5050 shows us.
Does anyone here use the Splunk solution and have any feedback how easy it is to use in everyday monitoring and troubleshooting compared to the bultin log viewer in the PA mgmt GUI?
Are there any other systems out there than Panorama and Splunk in use?
Accepted Solutions
- Mark as New
- Subscribe to RSS Feed
- Permalink
08-28-2015 09:56 AM
Hi,
good point by Benjamin - correlation engine is a new feature in 7.0 and it is supported by Panorama too.
I would say, if you have no other log collector, SIM/SEM, whatever - Splunk will do. It is pretty much possible to send logs anywhere with syslog configuration, so you can send to logcollector as well (free linux syslog interface) and to any other logger.
IMNHO, if you won't go Panorama, than just do the reporting from the firewall for shorted periods (daily / weekly) and give up on the idea of having the same depth and quality of view in the splunk, use splunk only for historical / drilldown reviews etc.... how often will you be investigating something that hapenned weeks or months ago, anyways? Those monthly and/or quarterly reports are asked by the management, mostly, nobody normal / technical reads them :))) if they want those, let them budget in Panorama, otherwise, go splunk or other free solution 🙂
Regards
Luciano
- Mark as New
- Subscribe to RSS Feed
- Permalink
08-28-2015 06:11 AM
Hi,
Splunk is a nice solution. Of course, monitor tabs and graphs in Splunk are a different as in the palo but they are usable.
After make a choice between Splunk and Panorama.... big question 🙂
- From a monitor point of view: If you use to use palo, graphs in Pano are exactly the same ..
- From a cost point of view: keep in mind that splunk cost is based amout of log per day ... In your cae it can be huge then expensive ...
Keep in mind that maybe one day you will have a cluster ... or more palo ..
If you already use Splunk in your company, why not ealse .....
Hope help
- Mark as New
- Subscribe to RSS Feed
- Permalink
08-28-2015 07:29 AM
As per my experience PAN Panorama VM is excellent option (max support Space 2TB).
Splunk is also excellent option, but you can't get reports or feel/look like PAN.
You can try Splunk free version with PAN App (Splunk config for PAN)
Sample shots from my test Firewall (PAN) and Splunk (Free Version).
Traffic Dashboard
Web Activity Dashboard
- Mark as New
- Subscribe to RSS Feed
- Permalink
08-28-2015 08:56 AM
Personnally, I would go for Panorama with up to 4 TB of storage.This way, you won't have the hassle of maintaining two completely different systems. Also, you will be able to use PAN-OS 7 and get the latest reporting features, while keeping a more stable version on the firewall itself (v6.1).
I would not be surprised if Panorama ends up being cheaper than Splunk.
Benjamin
- Mark as New
- Subscribe to RSS Feed
- Permalink
08-28-2015 09:56 AM
Hi,
good point by Benjamin - correlation engine is a new feature in 7.0 and it is supported by Panorama too.
I would say, if you have no other log collector, SIM/SEM, whatever - Splunk will do. It is pretty much possible to send logs anywhere with syslog configuration, so you can send to logcollector as well (free linux syslog interface) and to any other logger.
IMNHO, if you won't go Panorama, than just do the reporting from the firewall for shorted periods (daily / weekly) and give up on the idea of having the same depth and quality of view in the splunk, use splunk only for historical / drilldown reviews etc.... how often will you be investigating something that hapenned weeks or months ago, anyways? Those monthly and/or quarterly reports are asked by the management, mostly, nobody normal / technical reads them :))) if they want those, let them budget in Panorama, otherwise, go splunk or other free solution 🙂
Regards
Luciano
- closing duplicated tickets in XSOAR & Splunk automatically in Cortex XSOAR Discussions
- Parsing out VLANS from netflow collection in Cortex XDR Discussions
- Multiple Question realted to assign owner from playbook in Cortex XSOAR Discussions
- Do we need to install XDR Collectors in our servers to Collect Windows Events ? in Cortex XDR Discussions
- Podman - Docker - new Integration in Cortex XSOAR Discussions
Show your appreciation!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
