- Get Started
- News & Events
- Collaboration
- Education Services
- Technologies
- Next-Generation Firewall
- GlobalProtect
- Threat Prevention Services
- Endpoint Protection
- SSL Decryption
- App-ID
- Content-ID
- User-ID
- 5G
- IoT Security
- Cloud Identity Engine
Network Security
- Prisma Access
- Prisma Cloud
- Prisma SD-WAN
- CN-Series
- VM-Series:
- Alibaba
- AWS
- GCP
- Azure
Cloud Security
- Cortex XDR
- Cortex XSOAR
- Cortex Data Lake
Security Operations
- Resources
- COVID-19 Response Center
- LIVEcommunity
- Collaboration
- Discussions
- General Topics
- Using Splunk for collecting PA logs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Printer Friendly Page
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
08-28-2015 04:47 AM
Hi.
We have a PA-5050 running PAN-OS 6.1.5. With the limited disk space we currently only get about 4-5 days worth of traffic log before it starts overwriting older events. We would like to increase this period to at least 6 months. One solution would be to setup Panorama which as a virtual appliance presumably would have unlimited disk space available for logging, but since we only have one PA firewall it would be a bit overkill for us. Another solution that has been suggested to us is to use Splunk and their PA app and forward all logs from the PA-5050 to Splunk. My concern here would be if the user interface in Splunk is very different from what the Monitor tab on the PA-5050 shows us.
Does anyone here use the Splunk solution and have any feedback how easy it is to use in everyday monitoring and troubleshooting compared to the bultin log viewer in the PA mgmt GUI?
Are there any other systems out there than Panorama and Splunk in use?
Accepted Solutions
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
08-28-2015 09:56 AM
Hi,
good point by Benjamin - correlation engine is a new feature in 7.0 and it is supported by Panorama too.
I would say, if you have no other log collector, SIM/SEM, whatever - Splunk will do. It is pretty much possible to send logs anywhere with syslog configuration, so you can send to logcollector as well (free linux syslog interface) and to any other logger.
IMNHO, if you won't go Panorama, than just do the reporting from the firewall for shorted periods (daily / weekly) and give up on the idea of having the same depth and quality of view in the splunk, use splunk only for historical / drilldown reviews etc.... how often will you be investigating something that hapenned weeks or months ago, anyways? Those monthly and/or quarterly reports are asked by the management, mostly, nobody normal / technical reads them :))) if they want those, let them budget in Panorama, otherwise, go splunk or other free solution :)
Regards
Luciano
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
08-28-2015 06:11 AM
Hi,
Splunk is a nice solution. Of course, monitor tabs and graphs in Splunk are a different as in the palo but they are usable.
After make a choice between Splunk and Panorama.... big question :-)
- From a monitor point of view: If you use to use palo, graphs in Pano are exactly the same ..
- From a cost point of view: keep in mind that splunk cost is based amout of log per day ... In your cae it can be huge then expensive ...
Keep in mind that maybe one day you will have a cluster ... or more palo ..
If you already use Splunk in your company, why not ealse .....
Hope help
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
08-28-2015 07:29 AM
As per my experience PAN Panorama VM is excellent option (max support Space 2TB).
Splunk is also excellent option, but you can't get reports or feel/look like PAN.
You can try Splunk free version with PAN App (Splunk config for PAN)
Sample shots from my test Firewall (PAN) and Splunk (Free Version).
Traffic Dashboard
Web Activity Dashboard
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
08-28-2015 08:56 AM
Personnally, I would go for Panorama with up to 4 TB of storage.This way, you won't have the hassle of maintaining two completely different systems. Also, you will be able to use PAN-OS 7 and get the latest reporting features, while keeping a more stable version on the firewall itself (v6.1).
I would not be surprised if Panorama ends up being cheaper than Splunk.
Benjamin
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
08-28-2015 09:56 AM
Hi,
good point by Benjamin - correlation engine is a new feature in 7.0 and it is supported by Panorama too.
I would say, if you have no other log collector, SIM/SEM, whatever - Splunk will do. It is pretty much possible to send logs anywhere with syslog configuration, so you can send to logcollector as well (free linux syslog interface) and to any other logger.
IMNHO, if you won't go Panorama, than just do the reporting from the firewall for shorted periods (daily / weekly) and give up on the idea of having the same depth and quality of view in the splunk, use splunk only for historical / drilldown reviews etc.... how often will you be investigating something that hapenned weeks or months ago, anyways? Those monthly and/or quarterly reports are asked by the management, mostly, nobody normal / technical reads them :))) if they want those, let them budget in Panorama, otherwise, go splunk or other free solution :)
Regards
Luciano
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
08-31-2015 01:06 AM
Thanks for the feedback to all of you. I will try out for Splunk for a while.
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
08-31-2015 06:09 AM
I just wanted to throw my two cents in here too.
Whenever I do my troubleshooting I always go to Splunk first, then if I don't find anything I might check the monitor tab as well.
I prefer Splunk because of the easy drill-down ability as well as how easy it is to view and create graphs. Graphs make it really easy to notice trends and anomolies in traffic.
Another thing that I like about Splunk is that if you do a bit of research you can create some pretty advanced searches that do exactly what you need and can format it exactly how you need. I have used Splunk to perform traffic searches and then format the info into a CLI command that I could simply copy and paste into the firewall to create address-objects and address-groups.
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
09-14-2015 01:49 PM
I also say Splunk, as long as you know how to use it and are willing to put in the effort. If you are a Splunk expert, I would say you can get better data than panorama will give you. If you are a Splunk beginner like I am it is an awesome tool to get data that panorama does not readily or easily give you especially when showing time charts and drill downs. I don’t really use the Palo Alto app for Splunk but make my own dashboards to give me the kind the info that panorama doesn’t. It’s actually kind of a shame that the firewalls know everything about what passes through them, and they have the Panorama product, but we still need to use another (expensive) tool to really drill down into that data. Huge room for improvement here in my opinion.
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
09-24-2015 04:31 PM
Couldn't resist throwing in my 2 cents as well..
I use Panorama to collect everything and love being able to run reports against all firewalls in one place(especially since Panorama is on 7 and the firewalls and 6 so we get those extra features that way).
I also use Splunk but it doesn't collect all the logs just things I am more likely to want to see. Then you have the extra ability to do things with the logs like create your own custom Dynamic Block List for the PANs to import on a schedule or more specific GlobalProtect reports that pull additional information in based on what the PAN logs have.
- Windows User-ID agent not collecting mapping in General Topics
- master device in panorama device-group if using dataplane interface in General Topics
- Panorama mgmt CPU usage in General Topics
- Globalprotect check operational system on the portal/gateway without collecting HIP data and using HIP profiles/HIP objects? in General Topics
- Timeframe for Script in a widget in Cortex XSOAR Discussions
Show your appreciation!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
