this file is generated by add-on builder automatically

ifn_victorsanch · ‎04-18-2018

I'm trying to install the PAN App and Add-on from Splunk base:

PAN App - 6.0.1
PAN Add-on - 6.0.2

My environment Splunk Enterprise 6.4.5 (distributed)

Following documentation on (https://splunk.paloaltonetworks.com/installation.html)
1. I installed Add-on and App on the Search-Head Server with no issues
2. Then I unzip and untar Add-on and added to Master Apps on the Cluster Master Server
3. Then I tried to Distribute the configuration bundle (so Splunk Cluster Master pushes the Add-on into the Indexers as a SlaveApp). But It failed with this message:

"In handler 'clustermastercontrol': The Master could not push the latest configuration bundle because it contains an invalid configuration. Fix any errors and push the bundle again. Alternatively, you can skip the validation process like this: "splunk apply cluster-bundle --skip-validation". Use this option carefully, as it can cause the master to push an invalid configuration to the peers. The following errors were encountered: No spec file for: /opt/splunk/etc/master-apps/Splunk_TA_paloalto/default/addon_builder.conf ;  Invalid key in stanza [pantag] in /opt/splunk/etc/master-apps/Splunk_TA_paloalto/default/alert_actions.conf, line 18: param._cam (value: { "category" : ["Information Conveyance"], "task" : ["create", "delete", "allow", "block"], "subject" : ["network.firewall"], "technology" : [{"vendor":"Palo Alto Networks", "product":"Firewall"}], "drilldown_uri" : "../myapp/myview?form.sid=$orig_sid$&form.rid=$orig_rid$", "supports_adhoc" : true }). ;   Invalid key in stanza [panwildfiresubmit] in /opt/splunk/etc/master-apps/Splunk_TA_paloalto/default/alert_actions.conf, line 38: param._cam (value: { "category" : ["Information Gathering"], "task" : ["scan"], "subject" : ["process.sandbox"], "technology" : [{"vendor":"Palo Alto Networks", "product":"WildFire"}], "drilldown_uri" : "../myapp/myview?form.sid=$orig_sid$&form.rid=$orig_rid$", "supports_adhoc" : true }). ;No spec file for: /opt/splunk/etc/master-apps/Splunk_TA_paloalto/default/splunk_ta_paloalto_settings.conf"

I haven't really modified much, just changed the index from default to ix_pan_logs (so I can identify how much data is going there and manage it properly in the future). For doing this I just created a 'local' folder within the Add-on . I copied the inputs.conf from the default folder within the Add-on. Then edited that copied inputs.conf file

This is how it looks like:

Default Settings for AutoFocus Export List

[autofocus_export]
index = ix_pan_logs
start_by_shell = false
sourcetype = AutoFocus
interval = 3200

[aperture]
sourcetype = pan:aperture

#################
MineMeld inputs
#################
[minemeld_feed]
index = ix_pan_logs
start_by_shell = false
sourcetype = pan:minemeld
interval = 30

I reviewed the error message and all the files seems to exist, so not sure how to resolve the problem.

No spec file for: /opt/splunk/etc/master-apps/Splunk_TA_paloalto/default/addon_builder.conf

Here is the content of that file:

this file is generated by add-on builder automatically

please do not edit it

[base]
builder_version = 2.2.0
builder_build = 12
is_edited = 0

Invalid key in stanza [pantag] in /opt/splunk/etc/master-apps/Splunk_TA_paloalto/default/alert_actions.conf, line 18: param._cam
Here is the content of that file:

[pantag]
is_custom         = 1
label             = PAN : Tag to Dynamic Address Group
description       = Add/remove Palo Alto Networks dynamic address group tag
icon_path         = appicon.png
payload_format    = json
ttl               = 240
command           = sendalert $action_name$ param.action=$device$ param.action=$action$ param.tag=$tag$ | stats count
track_alert       = 1

param._cam = {\
    "category" :   ["Information Conveyance"],\
    "task" :       ["create", "delete", "allow", "block"],\
    "subject" :    ["network.firewall"],\
    "technology" : [{"vendor":"Palo Alto Networks", "product":"Firewall"}],\
    "drilldown_uri" : "../myapp/myview?form.sid=$orig_sid$&form.rid=$orig_rid$",\
    "supports_adhoc" : true\
}


[panwildfiresubmit]
is_custom         = 1
label             = PAN : Submit URL to WildFire
description       = Palo Alto Networks WildFire analyzes the URL for malware
icon_path         = appicon.png
payload_format    = json
ttl               = 240
command           = sendalert $action_name$ | stats count
track_alert       = 1

param._cam = {\
    "category" :   ["Information Gathering"],\
    "task" :       ["scan"],\
    "subject" :    ["process.sandbox"],\
    "technology" : [{"vendor":"Palo Alto Networks", "product":"WildFire"}],\
    "drilldown_uri" : "../myapp/myview?form.sid=$orig_sid$&form.rid=$orig_rid$",\
    "supports_adhoc" : true\
}

No spec file for: /opt/splunk/etc/master-apps/Splunk_TA_paloalto/default/splunk_ta_paloalto_settings.conf"
Content of the file:

[proxy]

[logging]

[additional_parameters]

Any comments/guide will be really appreciated.

nickhills · ‎03-14-2019

I would remove alert_actions.conf from the slave_app, they wont ever be needed on an indexer.

If my comment helps, please give it a thumbs up!

vgollapudi · ‎03-13-2019

This link might help you

https://answers.splunk.com/answers/471287/palo-alto-networks-add-on-for-splunk-how-to-resolv.html

What is causing the issue with Palo Alto Add-On with a Splunk Distributed Deployment?

Default Settings for AutoFocus Export List

this file is generated by add-on builder automatically

please do not edit it

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?