Visit the Dispensary

Course Map

Course Map - Empty

note

Don’t mind the course map, we’ll get back to it in a bit.

Stream has myriad uses. There are, however, a few common use cases that we see regularly. For these, it’s best not to reinvent the wheel – instead, Cribl maintains a repository of pre-configured, curated, Packs for the use cases we run into most often for certain Data Sources. We call it, The Dispensary. Check it out: https://packs.cribl.io

important

Visit the Dispensary

https://packs.cribl.io

You’ll see that there are a lot of Packs listed. The Cribl team has curated and maintains each Pack, keeping up with any changes that may impact their configurations.

Here's the one we are interested in: Palo Alto Networks

A quick excerpt from the README:

note

The Cribl Pack for Palo Alto Networks Firewalls processes events with the following goals in mind:

  • Events are received via syslog directly from Palo Alto firewalls
  • Add Splunk metadata to events (e.g. index, source, sourcetype, host)
  • Reduction of events by trimming the syslog header and removing unnecessary fields such as "future_use" and "time" fields

You should expect to see 15-30% reduction in the size of your Palo Alto Firewall log data.

That last line sounds exactly like what Steve asked for: A reduction in the size of the Palo Alto log data.

Now, let’s get this Pack into Stream.

ScenarioImporting a Dispensary Pack