Firewalls, Panorama, and Traps
Log Forwarding App for Logging Service forwards syslogs to Splunk from the Palo Alto Networks Logging Service using an SSL Connection.
Firewalls can send logs to Splunk directly, or they can send logs to Panorama or a Log Collector which forwards the logs to Splunk.
Panorama sends its own logs to Splunk and can forward logs from firewalls to Splunk.
Traps can send logs to Splunk and Panorama, but Panorama does not forward Traps logs to Splunk.
Syslog-ng and Universal Forwarder An alternative to sending the logs directly to Splunk, it is common to send logs to a syslog-ng or other intermediate syslog server, then forward the logs from there with a Splunk Universal Forwarder. For instruction on how to do this, please skip this article and go to the Syslog-ng and Universal Forwarder Guide.
Syslog to Splunk using the following protocols:
|Log Forwarding App for Logging Service||SSL|
|Next-generation Firewall||UDP, TCP, or SSL|
|Panorama||UDP, TCP, or SSL|
|Traps Endpoint Security >= 3.3||UDP, TCP, or SSL|
|Traps Endpoint Security 3.2||UDP|
Enable datamodel acceleration
If using the Palo Alto Networks App, you must enable datamodel acceleration to see data in the dashboards. Acceleration is on by default in App 6.0 and lower, and off by default in App 6.1 and higher (due to new Splunk app certification rules).
Enable it now by navigating to Settings -> Datamodels, then select each Palo Alto Networks datamodel and enable acceleration for a time period of your choice.
The time period represents how much data will show in the dashboards, and has a significant impact on storage usage. If unsure, set the acceleration time period to 7 days.
Datamodel acceleration is not required if using the Add-on only.
Create a data input
Use the GUI to create a Data Input, or create it in inputs.conf using the CLI.
Firewalls, Panorama, and Traps ESM can all send logs to the same data input and port. The Add-on will automatically detect the source of each log and parse it correctly.
Select a sourcetype
For App/Add-on 6.0.x and lower use the sourcetype:
Starting in App/Add-on 6.1.0, you can choose one of these 3 sourcetypes to assign the incoming logs:
|Only Firewall logs||pan:firewall|
|Only Traps Management Service logs||pan:traps|
|Only Traps 4.x logs||pan:traps4|
|This input receives Firewall and Traps logs||pan:log|
It is preferable to use
pan:traps instead of
pan:log because less parsing is required and timestamps will be slightly more accurate.
- In the top right corner, click Settings -> Data inputs
- In the row for UDP or TCP click Add new (SSL Data Inputs can't be created in the GUI)
- Enter a port number and click Next
- Click Select Sourcetype -> Network & Security -> pan:log (or a more specific sourcetype from the table above)
- Change the App Context to the Palo Alto Networks Add-on
- Set any other settings such as Method or Index as appropriate for your environment
- Click Review, followed by Submit
You can optionally use a more specific sourcetype than
pan:log such as
pan:traps. See the sourcetype table above for options.
Create the inputs.conf in the correct directory:
local directory is not created during installation, so you may need to create it. Also, the inputs.conf does not have to be in the Add-on directory, but this is the conventional place to put it.
Add the following lines to the
inputs.conf file. This examples uses the default syslog port UDP 514. Change the port as needed. :
[udp://514] sourcetype = pan:log no_appending_timestamp = true index = pan_logs
You can optionally change the sourcetype from
pan:log to a more specific sourcetype such as
pan:traps. See the sourcetype table above for options.
For UDP logs,
no_appending_timestamp setting is required. For TCP or SSL syslogs, remove the
You can optionally set an
index to store the logs, or remove the index setting to store logs in the default index.
Configure the Firewall or Traps Endpoint Security Manager
There are two ways to send logs from a Next generation Firewall to Splunk:
- All firewalls syslog directly to Splunk
- All firewalls log to Panorama, then Panorama syslogs to Splunk
The Palo Alto Networks syslog documentation describes each option in detail:
Firewall and Panorama syslog to Splunk:
Traps Endpoint Security Manager (ESM) syslog to Splunk:
Firewall and Panorama logs must be sent in the default format.
Traps 4.x logs must be in CEF format (CEF is the default on ESM).
Configure the Log Forwarding App for Cortex
To forward logs from Cortex Data Lake to Splunk, configure the Log Forwarding App in Cortex to forward logs to the Splunk data input.
Log Forwarding App Configuration: https://docs.paloaltonetworks.com/cloud-services/apps/log-forwarding/log-forwarding-app-getting-started/get-started-with-log-fowarding-app/forward-logs-from-logging-service-to-syslog-server#
Test the configuration
The easiest way to test that everything is working is to configure the firewall to syslog all config events. On the firewall or Panorama, navigate to the Device tab, then Log Settings. Enable config logs and commit the configuration.
Now, make any configuration change and the firewall to produce a config event syslog. You don't have to commit the change for the syslog to be produced; any uncommitted change to the configuration produces a log.
Verify the log reached Splunk by going to the Palo Alto Networks App click Search in the navigation bar, and enter:
Use the default Search app if using just the Palo Alto Networks Add-on.
If Splunk is getting the syslogs from the firewall and parsing them correctly, then you'll see the config event syslogs show up here from the changes you made on the firewall configuration.
If you don't see the syslog, verify the steps above or try the Troubleshooting Guide.
Firewall/Panorama API Configuration
Adaptive Response and Searchbar Commands leverage API calls to the FIrewall/Panorama.
Create an administrative user and role with API access on the Firewall/Panorama.
Navigate to Configuration > Accounts on the add-on. Firewall/Panorama credentials are now designated as whichever credential has the name "Firewall"
Figure: The credentials name "Firewall" will be used for connection to Firewalls or Panorama