Very glad it's working now. Thanks for letting us know!

Hi Brian, The answer solves the case of using a Heavy Forwarder as the means of ultimately getting the data into Splunk, however this hasn't solved the issue of a UF on a Syslog-NG server that sends the data onto the indexers.

I am still confused why the sourcetyping works correctly when the app is installed in SPLUNK_HOME/etc/apps on the indexer, but it DOES NOT WORK when the app is in the SPLUNK_HOME/etc/slave-apps/_cluster directory on a clustered indexer.

Installed the app in SH, Cluster Master, and Heavy Forwarders and the thing started working as expected. So copying the app folder into the HF and restarting did the job.

A little confused though... All data seemed to be parsed into the right sourcetypes now, including last week's data, which hadn't been parsed correctly. I was expecting only today's data to be parsed correctly. (Not that I'm complaining! ha!, but would like to understand why..)

The App applies field extractions and parsing at Search Time, not index time. This is why historical data is working correctly.

Where on the CM did you put this?

Thanks Eric,

It's in the /master-apps/ in the CM, but it was pushed there via the UI, using the Distributed Configuration Bundle from the Search Head. It's replicated correctly in the /slave-apps/ directories.

Is the sourcetype pan_log or pan_logs(plural)? This is very confusing and could be the source of the problem. The index is pan_logs, correct?

The sourcetype is pan_log

The index is pan_logs

I initially typed it wrong in my answer, but corrected it now. Thanks for the catch.

Yes, this is confusing, and it will be changed in the next version of the app (version 5.0) coming out soon.

The sourcetype is set to pan_log . The following is the inputs.conf stanza for my syslog-ng server

Push PaloAlto Syslog to Splunk:

[monitor:///var/log/syslog-ng/paloalto]
disabled = false
index = pan_logs
sourcetype = pan_log
no_appending_timestamp=true
host_segment = 5

The architecture is now:
- PA sends syslog to syslog-ng server with UF
- UF forwards to indexer cluster load balancing between three indexers
- Each indexer has the app in the $SPLUNK_HOME/etc/slave-apps/_cluster directory
- The search head has the app in $SPLUNK_HOME/etc/apps

Our 2nd site with just PA --> UF --> Standalone indexer <-- Search Head parses the logs just fine with the correct sourcetypes.

Our primary site did have a stand alone indexer and it worked. When we changed to the indexer cluster is when the parsing/sourcetyping stopped working.

As a test, I copied the app from .../etc/slave-app/_cluster to /etc/apps on one of the clustered indexers and rebooted the box.

The sourcetyping is now correct for indexer02, but incorrect on indexer01 and indexer03

There appears to be something unique with the clustered indexer setup

Permissions?

The app in both /etc/apps and /etc/slave-apps have the same OS level permissions and the same Splunk app permissions as listed below

Application-level permissions

[]
access = read : [ * ], write : [ admin, power ]

EVENT TYPES

[eventtypes]
export = system

PROPS

[props]
export = system

TRANSFORMS

[transforms]
export = system

[lookups]
export = system

OTHER

[savedsearches]
export = none

[commands]
export = system

Hi Eric,

So, just to clarify, when you say: "If you're ingesting via syslog / UDP on a HF, you need the props/transforms, same as an indexer."

Do you mean that one would need the Palo Alto App in the Search Head, Indexers, as well as the Heavy Forwarder? My previously proposed answer has my thinking on the why.

Thank you both.

However, I am still not getting the correct sourcetypes.

I have my PAs sending their syslogs to a Syslog-NG server with a UF. The UF's inputs.conf sets the index to pan_logs and the sourcetype to pan_log. Both the Search Heads and the Indexers have the app installed.

The standalone (non-clustered) Indexer is reassigning the correct sourcetypes (pan_traffic, pan_config, etc), however the indexers in the cluster are not. I only see the original set pan_log.

Is there a different required config for a clustered instance?

Configuration for clustered indexers needs to be applied via the cluster bundles under $splunk_home/etc/master-apps/.

My configurations/apps are deployed via $splunk_home/etc/master-apps/ The PA app/transforms that change the sourcetype are NOT working when they reside in the $splunk_home/etc/slave-apps directory, they only seem to work when in the $splunk_home/etc/apps directory

Did you ever get this figured out? Trying to setup PA for the first time in a clustered environment and universal forwarder on syslog-ng server forwarding cisco and PA logs to the clustermaster/indexers. None of the dashboards are populating.

Hi, where do you have the components?

On the cluster master I have
$SPLUNK_HOME/etc/master-apps
/SplunkforPaloAltoNetworks
/TA-paloalto

On the SyslogNG server I have

$SPLUNK_HOME/etc/apps
/SplunkforPaloAltoNetworks
/TA-paloalto

The mistake I made originally was on the cluster master I put all my apps in

$SPLUNK_HOME/etc/master-apps/_cluster/

Only local should go in _cluster

I do not have the app installed on the syslog server. The TA was the only one installed.
/opt/splunkforwarder/etc/apps/Splunk_TA_paloalto.

My inputs.conf looks like:

#Palo Alto Devices
[monitor:///var/log/data/palo/.../*]
disabled = 0
host_segment = 6
sourcetype = pan:log
no_appending_timestamp = true
ignoreOlderThan = 1d
index = pan_logs
blacklist = .gz$

The TA was also placed on the deployment server in deployment apps and deployed to the syslog server, the indexers (via the cluster master), and the search head.

Still nothing. I had it working and then it stopped. Not sure what I'm doing wrong. Either in syslog-ng or splunk