BLOG POST
27 JAN

Windows ELK Stack & Palo Alto Firewall

by Sean

I’ve seen a few tutorials around the web showing how to setup an ELK stack setup for Palo Alto Firewalls. I’m not a Linux guru, and our whole environment at work is primary Windows servers, so I wanted to stick with what I know – but haven’t found any tutorials on how to setup an ELK stack on a Windows box. I’ll post a brief setup of how I accomplished this below.

My final product – one side is PRTG, monitoring the bandwidth for each of our locations and both firewalls, as well as any down sensors. The right side is my Kibana setup. This is setup on a 55″ 4K TV:



Some other sources that I used as references and combined info from to get this to work:

https://www.ulyaoth.net/resources/tutorial-install-logstash-and-kibana-on-a-windows-server.34/
http://operational.io/elk-stack-for-network-operations-reloaded/
https://anderikistan.com/2016/03/26/elk-palo-alto-networks/
https://exorcimist.wordpress.com/2015/05/07/kibana-logstash-elasticsearch-for-palalto/

• VEEAM completes full weekly backups on Thursday nights from each one of our 5 VM Hosts.
• We have 2 VEEAM servers doing the backups for all 5 hosts.
• Thursday after backups complete, I will use VEEAM’s post-job field to call a batch file to automate the zipping/splitting of each VBK file.
• 7zip will take the rest of Thursday night/Friday morning zipping/splitting the archives.
• Friday afternoon after the majority of users have gone home, and bandwidth isn’t an issue, I’ll kick off a batch file to upload the files to Google Drive via RCLONE to max out our connection

Every Thursday night, we end up with 5 different VBK full backup files (3 on one VEEAM server, and 2 on another – all in separate folders). I have a Server 2012 R2 VM that I use for random projects, and this is where I’ve mapped drives to both of those servers, so it can handle the uploading. We set VEEAM to run a post-backup batch file to zip everything up into 50GB chunks. The only issue with this, is that VEEAM’s post-script will time out eventually, before 7zip finishes. You can edit the registry on your VEEAM server to extend the timeout period (I think it’s 15 minutes by default). You have to add the DWORD value as shown below: