Skip to main content
Splunk Lantern

Palo Alto Networks

Palo Alto Network logs are network security logs that come from next-generation firewall technology that enables applications – regardless of port, protocol, evasive tactic, or SSL encryption – and scans content to stop targeted threats and prevent data leakage. They provide insight into the use of applications, helping you maintain complete visibility and control simplifying network security. 

Data visibility 

Palo Alto Networks logs provide deep visibility into network traffic information, including: the date and time, source and destination zones, addresses and ports, application name, security rule name applied to the flow, rule action (allow, deny, or drop), ingress and egress interface, number of bytes, and session end reason. They also provide system information, host information profiles, malware analysis, information about configuration changes, security alerts, and much more.

Configuration

Guidance for onboarding data can be found in the Spunk Documentation, Getting Data In (Splunk Enterprise) or Getting Data In (Splunk Cloud). Refer to the documentation, and note the following:

  • Add-on or app: Palo Alto Networks Add-on for Splunk
  • Sizing estimate: There is large variability in the size for Palo Alto Networks logs. Each message is typically around 850 bytes with usually one message per connection (as we recommend logging allows, along with denies). The volume then depends on the size of your PAN device and can range from hundreds of MB per day for a branch office to more than 250 GB per day for a main datacenter cluster.

    Using only Palo Alto's built-in tools, the show session info command will tell you how many connections there have been since bootup. So, one way of estimating event volume is to check that number at the same time on subsequent days, then calculate the number of connections you typically see per day. When multiplied by the general 850 byte number, you will get a reasonable expectation for data size.

Input Source Type Index

var/log/rsyslog/pan/threat/*.log

pan: threat

netproxy

var/log/rsyslog/pan/traffic/*.log

pan:traffic

netfw

var/log/rsyslog/pan/system/*.log

pan:system

netops

var/log/rsyslog/pan/config/*.log

pan:config

netops

var/log/rsyslog/pan/hipmatch/*.log

pan:hipmatch

epintel

var/log/rsyslog/pan/endpoint/*.log

pan:endpoint

epintel

var/log/rsyslog/pan/correlation/*.log

pan:correlation

netintel

var/log/rsyslog/pan/aperture/*.log

pan:aperture

netintel

var/log/rsyslog/pan/wildfire/*.log

pan:wildfire

epintel

Validation

Perform the following search on your Splunk instance to see whether you receive results.

index=* sourcetype=pan* 
|stats count by sourcetype index
  • Was this article helpful?