Get Some Data In

Course Map

Let’s begin by creating a Source to get data flowing into Stream. In our future environment we will have myriad Sources flowing to a multitude of Destinations. The journey of a thousand logs begins with the first Source.

important

Create a Source

1. Make sure the Manage tab is active in Stream's top nav – select the Data submenu and click Sources
2. Click Syslog under Push Sources
3. Click New Source in the top right

note

When you click the Sources page, you can immediately start typing to search for the Source you want. This helps navigate the mass of Sources supported in Stream.

Every Source in Stream needs a unique name to help identify it throughout the rest of the interface. With syslog Sources we also need to bind to an IP address and a port on the host system (wherever Stream is deployed) in order to listen for incoming messages. These values will correspond to the port and IP address that are configured on the actual Source itself. In this case, our Palo Alto firewall is configured to send logs to 192.168.23.10 on TCP port 6514.

In the interface, an IP address of 0.0.0.0 means ‘bind to any IP address present on this host’. This is fine to leave as is, because it covers all bases with regards to listening for syslogs.

important

Fill out the new Source

1. Enter the input ID with the identifier paloalto
2. Leave the IP address as 0.0.0.0
3. Enter the port number 6514 in both the UDP Port and TCP Port
4. Click Save in the bottom right corner

Your settings should now look like this (click to expand the picture below):

Now that we have told Stream to listen for syslogs on TCP port 6514, we can see all the logs coming from our Palo Alto firewall.

important

Click the Live button under the Status column on the far right of the page

All of the events you see are logs being sent from our firewall and hitting Stream. However, they aren’t going anywhere else, yet. Let’s configure our Destination!