All Apps and Add-ons

Palo Alto Networks Add-on for Splunk: How to resolve "Invalid key in stanza" errors?

goodsellt
Contributor

Hello,

When attempting to distribute the Palo Alto Networks Add-on for Splunk, I'm receiving the following errors from Splunk regarding the push. This is on the currently deployed version of the Palo Alto Networks Add-on for Splunk on Splunkbase. I'm currently running 6.3.0.1. What ideas do you have or steps should I take to remediate this problem?

    Invalid key in stanza [pantag] in /opt/splunk/etc/master-apps/Splunk_TA_paloalto/default/alert_actions.conf, line 18: param._cam (value: { "category" : ["Information Conveyance"], "task" : ["create", "delete", "allow", "block"], "subject" : ["network.firewall"], "technology" : [{"vendor":"Palo Alto Networks", "product":"Firewall"}], "drilldown_uri" : "../myapp/myview?form.sid=$orig_sid$&form.rid=$orig_rid$", "supports_adhoc" : true })

Invalid key in stanza [panwildfiresubmit] in /opt/splunk/etc/master-apps/Splunk_TA_paloalto/default/alert_actions.conf, line 38: param._cam (value: { "category" : ["Information Gathering"], "task" : ["scan"], "subject" : ["process.sandbox"], "technology" : [{"vendor":"Palo Alto Networks", "product":"WildFire"}], "drilldown_uri" : "../myapp/myview?form.sid=$orig_sid$&form.rid=$orig_rid$", "supports_adhoc" : true })

Here is what the config file in question looks like:

alt text

0 Karma
1 Solution

Richfez
SplunkTrust
SplunkTrust

A bit of digging seems to show it's part of the adaptive response stuff, which if I'm not mistaken was first introduced in Splunk 6.5. Perhaps it was introduced in Splunk Enterprise Security 4.5 - either way, I suspect it's not supported in your version(s).

Please try commenting those lines out (should be able to prepend each line with a hash/pound sign #), or make a backup of the file and then delete them then restart Splunk. You'll want to remove/comment out everything from the line starting param._cam through to the single } at the end of each section. I suspect that will make those errors go away.

If that works, I'd send feedback to the app maintainers and let them know. Or something. 🙂

View solution in original post

splk
Communicator

Had the same error on Splunk 6.5.1 Cluster (no Enterprise Security in use)!

pgrasswill
Engager

for me solved after upgrade to 6.5.3

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Since your problem is different from this one you should post a new question.

---
If this reply helps you, an upvote would be appreciated.
0 Karma

Richfez
SplunkTrust
SplunkTrust

A bit of digging seems to show it's part of the adaptive response stuff, which if I'm not mistaken was first introduced in Splunk 6.5. Perhaps it was introduced in Splunk Enterprise Security 4.5 - either way, I suspect it's not supported in your version(s).

Please try commenting those lines out (should be able to prepend each line with a hash/pound sign #), or make a backup of the file and then delete them then restart Splunk. You'll want to remove/comment out everything from the line starting param._cam through to the single } at the end of each section. I suspect that will make those errors go away.

If that works, I'd send feedback to the app maintainers and let them know. Or something. 🙂

View solution in original post

panguy
Contributor

Splunk 6.4 is the version needed to support those stanza's

0 Karma

goodsellt
Contributor

Thanks for this info!

0 Karma

goodsellt
Contributor

This did work out for me thanks! Looks like we need to get ourselves onto the latest version here soon.

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!