This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Ingest Palo Alto logs to SIEM tool (Splunk) using Eventhub

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Ingest Palo Alto logs to SIEM tool (Splunk) using Eventhub

BilalMohd
L1 Bithead

‎06-11-2024 01:01 AM

Hi All,

 

We're looking into some sort of cloud-based solution to route our Palo Alto firewall logs to across our customer base. I was intrigued by the Event Hubs (https://azure.microsoft.com/en-us/products/event-hubs/) solution as a way to push logs to it and then ingest them from there into our SIEM (Splunk). Is there a way, we can directly push logs from Palo Alto VM-series firewalls in Azure to Eventhub and then ingest it to Splunk from there? I have tried to search for documentation around it but nothing of help as such. Can someone please help me here? We need to setup something like this (attached in screenshot). @BPry @TomYoung @OtakarKlier @lmori 

 

#PaloAlto #Logging #EventHub #SEIM #Splunk

 

Do I need to setup AKS with fluentd in between firewalls and Eventhub before pushing the logs to Eventhub?

Preview file
24 KB
0 Likes Likes
3 REPLIES 3

OtakarKlier
Cyber Elite
Cyber Elite

‎06-12-2024 07:42 AM

Hello,

Not familiar with either Splunk or EventHub, however the Palo Alto can send its syslog's to any destination. If Eventhub can accept syslogs, then I cant see why it wont send there. You can also send the logs to several destinations, ie EventHub and Splunk from the PAN. Not sure what the end goal is to sent ot both.

 

Hope this helps.

 

Regards,

0 Likes Likes

PavelK
Cyber Elite
Cyber Elite

‎06-16-2024 07:26 PM

Hello @BilalMohd

 

Based on documentation Azure Event Hubs supports streaming of incoming data with HTTPS. Palo Alto supports log forwarding from Firewalls over HTTPS: Forward Logs to an HTTP/S Destination. The part to send logs from Azure Event Hubs is tricky. I came across this blog post: https://community.splunk.com/t5/Getting-Data-In/How-to-send-data-to-Splunk-from-Azure-Event-Hub/td-p... which indicates this might be possible.

 

Kind Regards

Pavel 

Help the community: Like helpful comments and mark solutions.
0 Likes Likes

KateWinslet1
L0 Member

‎06-28-2024 12:01 PM

To route Palo Alto firewall logs to Splunk via Azure Event Hub, configure the firewall to send logs to an Azure Function or Logic App, which forwards them to Event Hub. Install the Splunk Add-on for Microsoft Cloud Services and configure it to ingest logs from Event Hub, enabling efficient log management and analysis in Splunk.

 
Best Wishes. Regards:liteblue.xyz
0 Likes Likes
  • 404 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks