Ingest Palo Alto logs to SIEM tool (Splunk) using Eventhub

Showing results for 
Show  only  | Search instead for 
Did you mean: 

Ingest Palo Alto logs to SIEM tool (Splunk) using Eventhub

L1 Bithead

Hi All,


We're looking into some sort of cloud-based solution to route our Palo Alto firewall logs to across our customer base. I was intrigued by the Event Hubs ( solution as a way to push logs to it and then ingest them from there into our SIEM (Splunk). Is there a way, we can directly push logs from Palo Alto VM-series firewalls in Azure to Eventhub and then ingest it to Splunk from there? I have tried to search for documentation around it but nothing of help as such. Can someone please help me here? We need to setup something like this (attached in screenshot). @BPry @TomYoung @OtakarKlier @lmori 


#PaloAlto #Logging #EventHub #SEIM #Splunk


Do I need to setup AKS with fluentd in between firewalls and Eventhub before pushing the logs to Eventhub?


Cyber Elite
Cyber Elite


Not familiar with either Splunk or EventHub, however the Palo Alto can send its syslog's to any destination. If Eventhub can accept syslogs, then I cant see why it wont send there. You can also send the logs to several destinations, ie EventHub and Splunk from the PAN. Not sure what the end goal is to sent ot both.


Hope this helps.



Cyber Elite
Cyber Elite

Hello @BilalMohd


Based on documentation Azure Event Hubs supports streaming of incoming data with HTTPS. Palo Alto supports log forwarding from Firewalls over HTTPS: Forward Logs to an HTTP/S Destination. The part to send logs from Azure Event Hubs is tricky. I came across this blog post: which indicates this might be possible.


Kind Regards


Help the community: Like helpful comments and mark solutions.

L0 Member

To route Palo Alto firewall logs to Splunk via Azure Event Hub, configure the firewall to send logs to an Azure Function or Logic App, which forwards them to Event Hub. Install the Splunk Add-on for Microsoft Cloud Services and configure it to ingest logs from Event Hub, enabling efficient log management and analysis in Splunk.

Best Wishes.
  • 3 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!