Using Splunk for collecting PA logs

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Using Splunk for collecting PA logs

L2 Linker

Hi.

 

We have a PA-5050 running PAN-OS 6.1.5. With the limited disk space we currently only get about 4-5 days worth of traffic log before it starts overwriting older events. We would like to increase this period to at least 6 months. One solution would be to setup Panorama which as a virtual appliance presumably would have unlimited disk space available for logging, but since we only have one PA firewall it would be a bit overkill for us. Another solution that has been suggested to us is to use Splunk and their PA app and forward all logs from the PA-5050 to Splunk. My concern here would be if the user interface in Splunk is very different from what the Monitor tab on the PA-5050 shows us.

 

Does anyone here use the Splunk solution and have any feedback how easy it is to use in everyday monitoring and troubleshooting compared to the bultin log viewer in the PA mgmt GUI?

 

Are there any other systems out there than Panorama and Splunk in use?

8 REPLIES 8

L2 Linker

Thanks for the feedback to all of you. I will try out for Splunk for a while.

 

I just wanted to throw my two cents in here too.

 

Whenever I do my troubleshooting I always go to Splunk first, then if I don't find anything I might check the monitor tab as well.

 

I prefer Splunk because of the easy drill-down ability as well as how easy it is to view and create graphs.  Graphs make it really easy to notice trends and anomolies in traffic.

 

Another thing that I like about Splunk is that if you do a bit of research you can create some pretty advanced searches that do exactly what you need and can format it exactly how you need.  I have used Splunk to perform traffic searches and then format the info into a CLI command that I could simply copy and paste into the firewall to create address-objects and address-groups.

I also say Splunk, as long as you know how to use it and are willing to put in the effort. If you are a Splunk expert, I would say you can get better data than panorama will give you. If you are a Splunk beginner like I am it is an awesome tool to get data that panorama does not readily or easily give you especially when showing time charts and drill downs. I don’t really use the Palo Alto app for Splunk but make my own dashboards to give me the kind the info that panorama doesn’t. It’s actually kind of a shame that the firewalls know everything about what passes through them, and they have the Panorama product, but we still need to use another (expensive) tool to really drill down into that data. Huge room for improvement here in my opinion.

L2 Linker

Couldn't resist throwing in my 2 cents as well..

 

I use Panorama to collect everything and love being able to run reports against all firewalls in one place(especially since Panorama is on 7 and the firewalls and 6 so we get those extra features that way).

 

I also use Splunk but it doesn't collect all the logs just things I am more likely to want to see.  Then you have the extra ability to do things with the logs like create your own custom Dynamic Block List for the PANs to import on a schedule or more specific GlobalProtect reports that pull additional information in based on what the PAN logs have.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!