Using Splunk for collecting PA logs

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Using Splunk for collecting PA logs

L2 Linker

Hi.

 

We have a PA-5050 running PAN-OS 6.1.5. With the limited disk space we currently only get about 4-5 days worth of traffic log before it starts overwriting older events. We would like to increase this period to at least 6 months. One solution would be to setup Panorama which as a virtual appliance presumably would have unlimited disk space available for logging, but since we only have one PA firewall it would be a bit overkill for us. Another solution that has been suggested to us is to use Splunk and their PA app and forward all logs from the PA-5050 to Splunk. My concern here would be if the user interface in Splunk is very different from what the Monitor tab on the PA-5050 shows us.

 

Does anyone here use the Splunk solution and have any feedback how easy it is to use in everyday monitoring and troubleshooting compared to the bultin log viewer in the PA mgmt GUI?

 

Are there any other systems out there than Panorama and Splunk in use?

1 accepted solution

Accepted Solutions

Hi,

 

good point by Benjamin - correlation engine is a new feature in 7.0 and it is supported by Panorama too.

 

I would say, if you have no other log collector, SIM/SEM, whatever - Splunk will do. It is pretty much possible to send logs anywhere with syslog configuration, so you can send to logcollector as well (free linux syslog interface) and to any other logger.

 

IMNHO, if you won't go Panorama, than just do the reporting from the firewall for shorted periods (daily / weekly) and give up on the idea of having the same depth and quality of view in the splunk, use  splunk only for historical / drilldown reviews etc.... how often will you be investigating something that hapenned weeks or months ago, anyways? Those monthly and/or quarterly reports are asked by the management, mostly, nobody normal / technical reads them :))) if they want those, let them budget in Panorama, otherwise, go splunk or other free solution 🙂

 

Regards

 

Luciano

View solution in original post

8 REPLIES 8

L5 Sessionator

Hi,

 

Splunk is a nice solution. Of course, monitor tabs and graphs in Splunk are a different as in the palo but they are usable.

After make a choice between Splunk and Panorama.... big question 🙂

   - From a monitor point of view: If you use to use palo, graphs in Pano are exactly the same ..

   - From a cost point of view: keep in mind that splunk cost is based amout of log per day ... In your cae it can be huge then expensive ...

 

Keep in mind that maybe one day you will have a cluster ... or more palo ..

If you already use Splunk in your company, why not ealse .....

 

Hope help

L2 Linker

As per my experience PAN Panorama VM is excellent option (max support Space 2TB).

 

Splunk is also excellent option, but you can't get reports or feel/look like PAN. 

 

You can try Splunk free version with PAN App (Splunk config for PAN)

https://live.paloaltonetworks.com/t5/Articles/How-to-Configure-Splunk-for-Palo-Alto-Networks/ta-p/54...

 

Sample shots from my test Firewall (PAN) and Splunk (Free Version).

 

Traffic Dashboard

Screen Shot 2015-08-28 at 6.20.23 PM.png

 

Web Activity Dashboard

Screen Shot 2015-08-28 at 6.24.47 PM.png

Screen Shot 2015-08-28 at 6.24.52 PM.png

 

Screen Shot 2015-08-28 at 6.25.03 PM.png

Screen Shot 2015-08-28 at 6.25.10 PM.png

 

L4 Transporter

Personnally, I would go for Panorama with up to 4 TB of storage.This way, you won't have the hassle of maintaining two completely different systems. Also, you will be able to use PAN-OS 7 and get the latest reporting features, while keeping a more stable version on the firewall itself (v6.1).

 

I would not be surprised if Panorama ends up being cheaper than Splunk.

 

Benjamin

Hi,

 

good point by Benjamin - correlation engine is a new feature in 7.0 and it is supported by Panorama too.

 

I would say, if you have no other log collector, SIM/SEM, whatever - Splunk will do. It is pretty much possible to send logs anywhere with syslog configuration, so you can send to logcollector as well (free linux syslog interface) and to any other logger.

 

IMNHO, if you won't go Panorama, than just do the reporting from the firewall for shorted periods (daily / weekly) and give up on the idea of having the same depth and quality of view in the splunk, use  splunk only for historical / drilldown reviews etc.... how often will you be investigating something that hapenned weeks or months ago, anyways? Those monthly and/or quarterly reports are asked by the management, mostly, nobody normal / technical reads them :))) if they want those, let them budget in Panorama, otherwise, go splunk or other free solution 🙂

 

Regards

 

Luciano

L2 Linker

Thanks for the feedback to all of you. I will try out for Splunk for a while.

 

I just wanted to throw my two cents in here too.

 

Whenever I do my troubleshooting I always go to Splunk first, then if I don't find anything I might check the monitor tab as well.

 

I prefer Splunk because of the easy drill-down ability as well as how easy it is to view and create graphs.  Graphs make it really easy to notice trends and anomolies in traffic.

 

Another thing that I like about Splunk is that if you do a bit of research you can create some pretty advanced searches that do exactly what you need and can format it exactly how you need.  I have used Splunk to perform traffic searches and then format the info into a CLI command that I could simply copy and paste into the firewall to create address-objects and address-groups.

I also say Splunk, as long as you know how to use it and are willing to put in the effort. If you are a Splunk expert, I would say you can get better data than panorama will give you. If you are a Splunk beginner like I am it is an awesome tool to get data that panorama does not readily or easily give you especially when showing time charts and drill downs. I don’t really use the Palo Alto app for Splunk but make my own dashboards to give me the kind the info that panorama doesn’t. It’s actually kind of a shame that the firewalls know everything about what passes through them, and they have the Panorama product, but we still need to use another (expensive) tool to really drill down into that data. Huge room for improvement here in my opinion.

L2 Linker

Couldn't resist throwing in my 2 cents as well..

 

I use Panorama to collect everything and love being able to run reports against all firewalls in one place(especially since Panorama is on 7 and the firewalls and 6 so we get those extra features that way).

 

I also use Splunk but it doesn't collect all the logs just things I am more likely to want to see.  Then you have the extra ability to do things with the logs like create your own custom Dynamic Block List for the PANs to import on a schedule or more specific GlobalProtect reports that pull additional information in based on what the PAN logs have.

  • 1 accepted solution
  • 7345 Views
  • 8 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!