All Apps and Add-ons

How to Configure Palo Alto Add-On (Splunk_TA_paloalto 3.5.2) for Enterprise Security 4.0 (Splunk Enteprise 6.3.3) on my Linux environment.

jl_Splunk
Engager

Hello,
I am trying to setup Palo Alto Add-On (Splunk_TA_paloalto 3.5.2) for Enterprise Security 4.0 (Splunk Enteprise 6.3.3). I already have the Palo Alto logs sending to the Forwarder. I have installed the Splunk_TA_paloalto (3.5.2) using the directions provided by Splunk for Palo Alto Networks "http://pansplunk.readthedocs.org/en/latest/getting_started.html#step-1-install-the-app-and-add-on" but it doesn't really provide a detailed instruction on how to configure the required files on the Forwarder and the Indexer. If I do not use the Palo Alto App, which inputs.conf do I follow? How do I create the pan_logs Indexes? Do I create the input using the 5.x or 4.x stanza? Can someone please advise or help?

0 Karma
1 Solution

ndesignhouse
Explorer

On the HF, your inputs can be installed here:
$SPLUNK_HOME/etc/apps/Splunk_TA_paloalto/local/inputs.conf

Since you are using 3.5.2 you can use the 5.x stanza.

[udp://514]
sourcetype = pan:log
no_appending_timestamp = true

View solution in original post

ndesignhouse
Explorer

On the HF, your inputs can be installed here:
$SPLUNK_HOME/etc/apps/Splunk_TA_paloalto/local/inputs.conf

Since you are using 3.5.2 you can use the 5.x stanza.

[udp://514]
sourcetype = pan:log
no_appending_timestamp = true

jl_Splunk
Engager

Thanks for help @ndesignhouse , I am able to search for the events now using the search string:

index=* sourcetype=pan*

The only difference from yours is that I am using the monitor stanza and using the Splunk_TA_paloalto 3.6 instead of 3.5.2.

[monitor:///home/splunk/remote/ipaddress*/*.log]
disabled = false
host_segment = 4
sourcetype = pan:log
no_appending_timestamp = true
0 Karma

ndesignhouse
Explorer

Glad i could help : )

0 Karma

jl_Splunk
Engager

Does it have to be in UDP stanza? I have it on monitor because I have setup my HF server to save events received from PA Server to a specific directory.

I notice a latest version so I have installed Splunk_TA_paloalto 3.6 on my Deployer, HF, Indexer and SearchHead.

The below is what I have on my HF only. Currently, I still do not see any indexed data on the Indexer server. Am I missing some config steps on the Indexer or SearchHead server?

[monitor:///home/splunk/remote/ip/*.log]
disabled = false
host_segment = 4
sourcetype = pan:log
no_appending_timestamp = true
0 Karma

ndesignhouse
Explorer

Yes you can use monitor. I use monitor as well. You won't need the no_appending_timestamp as that is an attribute for UDP only.

0 Karma

jl_Splunk
Engager

Hi @ndesignhouse, we are not using the UF. We setup PA server to send directly to the HF.

0 Karma

ndesignhouse
Explorer

On the HF your inputs can be installed here:
$SPLUNK_HOME/etc/apps/Splunk_TA_paloalto/local/inputs.conf

Since you are using 3.5.2 you can use the 5.x stanza.

Have you tried this already?

0 Karma

ndesignhouse
Explorer

Are you using the universal forwarder?

0 Karma
Get Updates on the Splunk Community!

Avoid Certificate Expiry Issues in Splunk Enterprise with Certificate Assist

This blog post is part 2 of 4 of a series on Splunk Assist. Click the links below to see the other ...

Using Machine Learning for Hunting Security Threats

REGISTER NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more ...

Security Highlights | November 2022 Newsletter

 November 2022 2022 Gartner Magic Quadrant for SIEM: Splunk Named a Leader for the 9th Year in a RowSplunk is ...