In the previous post we took some basic steps to begin the
process of hardening our server so that we can reduce its attack surface thus
improving the security of our monitoring system. Now let’s forward some logs
from a Palo Alto 200 device to it.
First up, let’s create a “Syslog Server Profile” by clicking “Device” -> “Server Profiles” -> “Syslog”.
For our example we will set the name as “Security Monitoring”
Next up let’s configure the “Log Forwarding” by selecting the “Objects” menu then “Log Forwarding”.
Finally, let’s go to the options for our rules and configure the “Options”. In this case we will specify our “Log Forwarding” destination as the one we configured.
Finally, “Save” and “Commit” your changes.
Now that we have configured our rules. Let’s verify that traffic is reaching our monitoring server by looking at tcpdump.
Looks good! Time to build a Splunk dashboard now to present
our information in a state which is easily readable. We configured the Palo Alto to forward "TRAFFIC" and "THREATS" log so we will parse those. Do remember, Palo Alto can also do URL filtering, WildFire, etc.
See you in the next two post where we parse out these "TRAFFIC" and "THREATS" log to build out a Splunk
dashboard for Palo Alto events.
All Posts In This Series.
All Posts In This Series.
No comments:
Post a Comment