All Apps and Add-ons

How to Configure Palo Alto Add-On (Splunk_TA_paloalto 3.5.2) for Enterprise Security 4.0 (Splunk Enteprise 6.3.3) on my Linux environment.

jl_Splunk
Engager

Hello,
I am trying to setup Palo Alto Add-On (Splunk_TA_paloalto 3.5.2) for Enterprise Security 4.0 (Splunk Enteprise 6.3.3). I already have the Palo Alto logs sending to the Forwarder. I have installed the Splunk_TA_paloalto (3.5.2) using the directions provided by Splunk for Palo Alto Networks "http://pansplunk.readthedocs.org/en/latest/getting_started.html#step-1-install-the-app-and-add-on" but it doesn't really provide a detailed instruction on how to configure the required files on the Forwarder and the Indexer. If I do not use the Palo Alto App, which inputs.conf do I follow? How do I create the pan_logs Indexes? Do I create the input using the 5.x or 4.x stanza? Can someone please advise or help?

0 Karma
1 Solution

ndesignhouse
Explorer

On the HF, your inputs can be installed here:
$SPLUNK_HOME/etc/apps/Splunk_TA_paloalto/local/inputs.conf

Since you are using 3.5.2 you can use the 5.x stanza.

[udp://514]
sourcetype = pan:log
no_appending_timestamp = true

View solution in original post

ndesignhouse
Explorer

On the HF, your inputs can be installed here:
$SPLUNK_HOME/etc/apps/Splunk_TA_paloalto/local/inputs.conf

Since you are using 3.5.2 you can use the 5.x stanza.

[udp://514]
sourcetype = pan:log
no_appending_timestamp = true

jl_Splunk
Engager

Thanks for help @ndesignhouse , I am able to search for the events now using the search string:

index=* sourcetype=pan*

The only difference from yours is that I am using the monitor stanza and using the Splunk_TA_paloalto 3.6 instead of 3.5.2.

[monitor:///home/splunk/remote/ipaddress*/*.log]
disabled = false
host_segment = 4
sourcetype = pan:log
no_appending_timestamp = true
0 Karma

ndesignhouse
Explorer

Glad i could help : )

0 Karma

jl_Splunk
Engager

Does it have to be in UDP stanza? I have it on monitor because I have setup my HF server to save events received from PA Server to a specific directory.

I notice a latest version so I have installed Splunk_TA_paloalto 3.6 on my Deployer, HF, Indexer and SearchHead.

The below is what I have on my HF only. Currently, I still do not see any indexed data on the Indexer server. Am I missing some config steps on the Indexer or SearchHead server?

[monitor:///home/splunk/remote/ip/*.log]
disabled = false
host_segment = 4
sourcetype = pan:log
no_appending_timestamp = true
0 Karma

ndesignhouse
Explorer

Yes you can use monitor. I use monitor as well. You won't need the no_appending_timestamp as that is an attribute for UDP only.

0 Karma

jl_Splunk
Engager

Hi @ndesignhouse, we are not using the UF. We setup PA server to send directly to the HF.

0 Karma

ndesignhouse
Explorer

On the HF your inputs can be installed here:
$SPLUNK_HOME/etc/apps/Splunk_TA_paloalto/local/inputs.conf

Since you are using 3.5.2 you can use the 5.x stanza.

Have you tried this already?

0 Karma

ndesignhouse
Explorer

Are you using the universal forwarder?

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...