Get Some Data In
Course Map
Let’s begin by creating a Source to get data flowing into Stream. In our future environment, we will have a myriad of Sources flowing to a multitude of Destinations. The journey of a thousand logs begins with the first Source.
Create a Source
- Make sure the Manage tab is active in Stream's top nav – select the Data submenu and click Sources.
- Under Push Sources, click Syslog.
- On the top right, click Add Source.
Once you click the Sources page, you can immediately start typing to find the Source you need. This makes it easier to navigate the mass of Sources supported in Stream.
Every Source in Stream needs a unique name to help identify it throughout the rest of the interface. With syslog Sources we also need to bind to an IP address and a port on the host system (wherever Stream is deployed) in order to listen for incoming messages. These values will correspond to the port and IP address that are configured on the actual Source itself. In this case, our Palo Alto firewall is configured to send logs to 192.168.23.10 on TCP port 6514.
In the interface, an IP address of 0.0.0.0 means ‘bind to any IP address present on this host’. This is fine to leave as is, because it covers all bases with regards to listening for syslogs.
Fill out the new Source
- In the Input ID, enter
paloalto - In Address, leave the default as
0.0.0.0 - In the UDP port and TCP port, enter
6514for both fields. - Click Save.
Your settings should now look like this (click to expand the picture below):
Now that we have told Stream to listen for syslogs on TCP port 6514, we can see all the logs coming from our Palo Alto firewall.
In the Status column at right, click Live .
You see all the events as they are sent from our firewall and hit Stream. However, they aren’t going anywhere else, yet. Let’s configure our Destination!