Hello,
I am trying to setup Palo Alto Add-On (Splunk_TA_paloalto 3.5.2) for Enterprise Security 4.0 (Splunk Enteprise 6.3.3). I already have the Palo Alto logs sending to the Forwarder. I have installed the Splunk_TA_paloalto (3.5.2) using the directions provided by Splunk for Palo Alto Networks "http://pansplunk.readthedocs.org/en/latest/getting_started.html#step-1-install-the-app-and-add-on" but it doesn't really provide a detailed instruction on how to configure the required files on the Forwarder and the Indexer. If I do not use the Palo Alto App, which inputs.conf do I follow? How do I create the pan_logs Indexes? Do I create the input using the 5.x or 4.x stanza? Can someone please advise or help?
On the HF, your inputs can be installed here:
$SPLUNK_HOME/etc/apps/Splunk_TA_paloalto/local/inputs.conf
Since you are using 3.5.2 you can use the 5.x stanza.
[udp://514]
sourcetype = pan:log
no_appending_timestamp = true
On the HF, your inputs can be installed here:
$SPLUNK_HOME/etc/apps/Splunk_TA_paloalto/local/inputs.conf
Since you are using 3.5.2 you can use the 5.x stanza.
[udp://514]
sourcetype = pan:log
no_appending_timestamp = true
Thanks for help @ndesignhouse , I am able to search for the events now using the search string:
index=* sourcetype=pan*
The only difference from yours is that I am using the monitor stanza and using the Splunk_TA_paloalto 3.6 instead of 3.5.2.
[monitor:///home/splunk/remote/ipaddress*/*.log]
disabled = false
host_segment = 4
sourcetype = pan:log
no_appending_timestamp = true
Glad i could help : )
Does it have to be in UDP stanza? I have it on monitor because I have setup my HF server to save events received from PA Server to a specific directory.
I notice a latest version so I have installed Splunk_TA_paloalto 3.6 on my Deployer, HF, Indexer and SearchHead.
The below is what I have on my HF only. Currently, I still do not see any indexed data on the Indexer server. Am I missing some config steps on the Indexer or SearchHead server?
[monitor:///home/splunk/remote/ip/*.log]
disabled = false
host_segment = 4
sourcetype = pan:log
no_appending_timestamp = true
Yes you can use monitor. I use monitor as well. You won't need the no_appending_timestamp as that is an attribute for UDP only.
Hi @ndesignhouse, we are not using the UF. We setup PA server to send directly to the HF.
On the HF your inputs can be installed here:
$SPLUNK_HOME/etc/apps/Splunk_TA_paloalto/local/inputs.conf
Since you are using 3.5.2 you can use the 5.x stanza.
Have you tried this already?
Are you using the universal forwarder?