https://community.splunk.com/t5/All-Apps-and-Add-ons/How-to-Configure-Palo-Alto-Add-On-Splunk-TA-paloalto-3-5-2-for/m-p/251066#M28754 <P>On the HF your inputs can be installed here:<BR /> $SPLUNK_HOME/etc/apps/Splunk_TA_paloalto/local/inputs.conf</P> <P>Since you are using 3.5.2 you can use the 5.x stanza.</P> <P>Have you tried this already?</P> Tue, 29 Sep 2020 09:28:19 GMT ndesignhouse 2020-09-29T09:28:19Z https://community.splunk.com/t5/All-Apps-and-Add-ons/How-to-Configure-Palo-Alto-Add-On-Splunk-TA-paloalto-3-5-2-for/m-p/251063#M28751 <P>Hello,<BR /> I am trying to setup Palo Alto Add-On (Splunk_TA_paloalto 3.5.2) for Enterprise Security 4.0 (Splunk Enteprise 6.3.3). I already have the Palo Alto logs sending to the Forwarder. I have installed the Splunk_TA_paloalto (3.5.2) using the directions provided by Splunk for Palo Alto Networks "<A href="http://pansplunk.readthedocs.org/en/latest/getting_started.html#step-1-install-the-app-and-add-on" target="_blank">http://pansplunk.readthedocs.org/en/latest/getting_started.html#step-1-install-the-app-and-add-on</A>" but it doesn't really provide a detailed instruction on how to configure the required files on the Forwarder and the Indexer. If I do not use the Palo Alto App, which inputs.conf do I follow? How do I create the pan_logs Indexes? Do I create the input using the 5.x or 4.x stanza? Can someone please advise or help?</P> Tue, 29 Sep 2020 09:07:37 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/How-to-Configure-Palo-Alto-Add-On-Splunk-TA-paloalto-3-5-2-for/m-p/251063#M28751 jl_Splunk 2020-09-29T09:07:37Z https://community.splunk.com/t5/All-Apps-and-Add-ons/How-to-Configure-Palo-Alto-Add-On-Splunk-TA-paloalto-3-5-2-for/m-p/251064#M28752 <P>Are you using the universal forwarder?</P> Wed, 20 Apr 2016 14:38:10 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/How-to-Configure-Palo-Alto-Add-On-Splunk-TA-paloalto-3-5-2-for/m-p/251064#M28752 ndesignhouse 2016-04-20T14:38:10Z https://community.splunk.com/t5/All-Apps-and-Add-ons/How-to-Configure-Palo-Alto-Add-On-Splunk-TA-paloalto-3-5-2-for/m-p/251065#M28753 <P>Hi @ndesignhouse, we are not using the UF. We setup PA server to send directly to the HF.</P> Wed, 20 Apr 2016 21:57:21 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/How-to-Configure-Palo-Alto-Add-On-Splunk-TA-paloalto-3-5-2-for/m-p/251065#M28753 jl_Splunk 2016-04-20T21:57:21Z https://community.splunk.com/t5/All-Apps-and-Add-ons/How-to-Configure-Palo-Alto-Add-On-Splunk-TA-paloalto-3-5-2-for/m-p/251066#M28754 <P>On the HF your inputs can be installed here:<BR /> $SPLUNK_HOME/etc/apps/Splunk_TA_paloalto/local/inputs.conf</P> <P>Since you are using 3.5.2 you can use the 5.x stanza.</P> <P>Have you tried this already?</P> Tue, 29 Sep 2020 09:28:19 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/How-to-Configure-Palo-Alto-Add-On-Splunk-TA-paloalto-3-5-2-for/m-p/251066#M28754 ndesignhouse 2020-09-29T09:28:19Z https://community.splunk.com/t5/All-Apps-and-Add-ons/How-to-Configure-Palo-Alto-Add-On-Splunk-TA-paloalto-3-5-2-for/m-p/251067#M28755 <P>On the HF, your inputs can be installed here:<BR /> $SPLUNK_HOME/etc/apps/Splunk_TA_paloalto/local/inputs.conf</P> <P>Since you are using 3.5.2 you can use the 5.x stanza.</P> <PRE><CODE>[udp://514] sourcetype = pan:log no_appending_timestamp = true </CODE></PRE> Tue, 29 Sep 2020 09:28:32 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/How-to-Configure-Palo-Alto-Add-On-Splunk-TA-paloalto-3-5-2-for/m-p/251067#M28755 ndesignhouse 2020-09-29T09:28:32Z https://community.splunk.com/t5/All-Apps-and-Add-ons/How-to-Configure-Palo-Alto-Add-On-Splunk-TA-paloalto-3-5-2-for/m-p/251068#M28756 <P>Does it have to be in UDP stanza? I have it on monitor because I have setup my HF server to save events received from PA Server to a specific directory.</P> <P>I notice a latest version so I have installed Splunk_TA_paloalto 3.6 on my Deployer, HF, Indexer and SearchHead.</P> <P>The below is what I have on my HF only. Currently, I still do not see any indexed data on the Indexer server. Am I missing some config steps on the Indexer or SearchHead server?</P> <PRE><CODE>[monitor:///home/splunk/remote/ip/*.log] disabled = false host_segment = 4 sourcetype = pan:log no_appending_timestamp = true </CODE></PRE> Tue, 29 Sep 2020 09:32:26 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/How-to-Configure-Palo-Alto-Add-On-Splunk-TA-paloalto-3-5-2-for/m-p/251068#M28756 jl_Splunk 2020-09-29T09:32:26Z https://community.splunk.com/t5/All-Apps-and-Add-ons/How-to-Configure-Palo-Alto-Add-On-Splunk-TA-paloalto-3-5-2-for/m-p/251069#M28757 <P>Thanks for help <a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/162068">@ndesignhouse</a> , I am able to search for the events now using the search string:</P> <PRE><CODE>index=* sourcetype=pan* </CODE></PRE> <P>The only difference from yours is that I am using the monitor stanza and using the Splunk_TA_paloalto 3.6 instead of 3.5.2.</P> <PRE><CODE>[monitor:///home/splunk/remote/ipaddress*/*.log] disabled = false host_segment = 4 sourcetype = pan:log no_appending_timestamp = true </CODE></PRE> Tue, 29 Sep 2020 09:32:29 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/How-to-Configure-Palo-Alto-Add-On-Splunk-TA-paloalto-3-5-2-for/m-p/251069#M28757 jl_Splunk 2020-09-29T09:32:29Z https://community.splunk.com/t5/All-Apps-and-Add-ons/How-to-Configure-Palo-Alto-Add-On-Splunk-TA-paloalto-3-5-2-for/m-p/251070#M28758 <P>Yes you can use monitor. I use monitor as well. You won't need the no_appending_timestamp as that is an attribute for UDP only.</P> Tue, 29 Sep 2020 09:28:57 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/How-to-Configure-Palo-Alto-Add-On-Splunk-TA-paloalto-3-5-2-for/m-p/251070#M28758 ndesignhouse 2020-09-29T09:28:57Z https://community.splunk.com/t5/All-Apps-and-Add-ons/How-to-Configure-Palo-Alto-Add-On-Splunk-TA-paloalto-3-5-2-for/m-p/251071#M28759 <P>Glad i could help : )</P> Sat, 23 Apr 2016 02:36:16 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/How-to-Configure-Palo-Alto-Add-On-Splunk-TA-paloalto-3-5-2-for/m-p/251071#M28759 ndesignhouse 2016-04-23T02:36:16Z