Clustered indexers installation of Splunk_TA_paloa...

tom_monkhouse · ‎04-02-2019

Hi,

I am receiving the following validation error when installing the Palo add-on, on our clusters indexer (through master-apps):

Invalid key in stanza [pantag] in /opt/splunk/etc/master-apps/Splunk_TA_paloalto/default/alert_actions.conf, line 18: param._cam  (value:  {
    "category" :   ["Information Conveyance"],
    "task" :       ["create", "delete", "allow", "block"],
    "subject" :    ["network.firewall"],
    "technology" : [{"vendor":"Palo Alto Networks", "product":"Firewall"}],
    "drilldown_uri" : "../myapp/myview?form.sid=$orig_sid$&form.rid=$orig_rid$",
    "supports_adhoc" : true
}).
;       Invalid key in stanza [panwildfiresubmit] in /opt/splunk/etc/master-apps/Splunk_TA_paloalto/default/alert_actions.conf, line 38: param._cam  (value:  {
    "category" :   ["Information Gathering"],
    "task" :       ["scan"],
    "subject" :    ["process.sandbox"],
    "technology" : [{"vendor":"Palo Alto Networks", "product":"WildFire"}],
    "drilldown_uri" : "../myapp/myview?form.sid=$orig_sid$&form.rid=$orig_rid$",
    "supports_adhoc" : true
}).

Does anyone know what may be causing this, or if I need to remove these two stanza by creating a local/alert_actions.conf file and copying everything but these over?

Thanks in advance,
Tom

Clustered indexers installation of Splunk_TA_paloalto

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases