All Apps and Add-ons

What is causing the issue with Palo Alto Add-On with a Splunk Distributed Deployment?

ifn_victorsanch
Engager

I'm trying to install the PAN App and Add-on from Splunk base:

PAN App - 6.0.1
PAN Add-on - 6.0.2

My environment Splunk Enterprise 6.4.5 (distributed)

Following documentation on (https://splunk.paloaltonetworks.com/installation.html)
1. I installed Add-on and App on the Search-Head Server with no issues
2. Then I unzip and untar Add-on and added to Master Apps on the Cluster Master Server
3. Then I tried to Distribute the configuration bundle (so Splunk Cluster Master pushes the Add-on into the Indexers as a SlaveApp). But It failed with this message:

"In handler 'clustermastercontrol': The Master could not push the latest configuration bundle because it contains an invalid configuration. Fix any errors and push the bundle again. Alternatively, you can skip the validation process like this: "splunk apply cluster-bundle --skip-validation". Use this option carefully, as it can cause the master to push an invalid configuration to the peers. The following errors were encountered: No spec file for: /opt/splunk/etc/master-apps/Splunk_TA_paloalto/default/addon_builder.conf ;  Invalid key in stanza [pantag] in /opt/splunk/etc/master-apps/Splunk_TA_paloalto/default/alert_actions.conf, line 18: param._cam (value: { "category" : ["Information Conveyance"], "task" : ["create", "delete", "allow", "block"], "subject" : ["network.firewall"], "technology" : [{"vendor":"Palo Alto Networks", "product":"Firewall"}], "drilldown_uri" : "../myapp/myview?form.sid=$orig_sid$&form.rid=$orig_rid$", "supports_adhoc" : true }). ;   Invalid key in stanza [panwildfiresubmit] in /opt/splunk/etc/master-apps/Splunk_TA_paloalto/default/alert_actions.conf, line 38: param._cam (value: { "category" : ["Information Gathering"], "task" : ["scan"], "subject" : ["process.sandbox"], "technology" : [{"vendor":"Palo Alto Networks", "product":"WildFire"}], "drilldown_uri" : "../myapp/myview?form.sid=$orig_sid$&form.rid=$orig_rid$", "supports_adhoc" : true }). ;No spec file for: /opt/splunk/etc/master-apps/Splunk_TA_paloalto/default/splunk_ta_paloalto_settings.conf"

I haven't really modified much, just changed the index from default to ix_pan_logs (so I can identify how much data is going there and manage it properly in the future). For doing this I just created a 'local' folder within the Add-on . I copied the inputs.conf from the default folder within the Add-on. Then edited that copied inputs.conf file

This is how it looks like:

Default Settings for AutoFocus Export List

[autofocus_export]
index = ix_pan_logs
start_by_shell = false
sourcetype = AutoFocus
interval = 3200

[aperture]
sourcetype = pan:aperture

#################
MineMeld inputs
#################
[minemeld_feed]
index = ix_pan_logs
start_by_shell = false
sourcetype = pan:minemeld
interval = 30

I reviewed the error message and all the files seems to exist, so not sure how to resolve the problem.

No spec file for: /opt/splunk/etc/master-apps/Splunk_TA_paloalto/default/addon_builder.conf

Here is the content of that file:

this file is generated by add-on builder automatically

please do not edit it

[base]
builder_version = 2.2.0
builder_build = 12
is_edited = 0

Invalid key in stanza [pantag] in /opt/splunk/etc/master-apps/Splunk_TA_paloalto/default/alert_actions.conf, line 18: param._cam
Here is the content of that file:

[pantag]
is_custom         = 1
label             = PAN : Tag to Dynamic Address Group
description       = Add/remove Palo Alto Networks dynamic address group tag
icon_path         = appicon.png
payload_format    = json
ttl               = 240
command           = sendalert $action_name$ param.action=$device$ param.action=$action$ param.tag=$tag$ | stats count
track_alert       = 1

param._cam = {\
    "category" :   ["Information Conveyance"],\
    "task" :       ["create", "delete", "allow", "block"],\
    "subject" :    ["network.firewall"],\
    "technology" : [{"vendor":"Palo Alto Networks", "product":"Firewall"}],\
    "drilldown_uri" : "../myapp/myview?form.sid=$orig_sid$&form.rid=$orig_rid$",\
    "supports_adhoc" : true\
}


[panwildfiresubmit]
is_custom         = 1
label             = PAN : Submit URL to WildFire
description       = Palo Alto Networks WildFire analyzes the URL for malware
icon_path         = appicon.png
payload_format    = json
ttl               = 240
command           = sendalert $action_name$ | stats count
track_alert       = 1

param._cam = {\
    "category" :   ["Information Gathering"],\
    "task" :       ["scan"],\
    "subject" :    ["process.sandbox"],\
    "technology" : [{"vendor":"Palo Alto Networks", "product":"WildFire"}],\
    "drilldown_uri" : "../myapp/myview?form.sid=$orig_sid$&form.rid=$orig_rid$",\
    "supports_adhoc" : true\
}

No spec file for: /opt/splunk/etc/master-apps/Splunk_TA_paloalto/default/splunk_ta_paloalto_settings.conf"
Content of the file:

[proxy]

[logging]

[additional_parameters]

Any comments/guide will be really appreciated.

nickhills
Ultra Champion

I would remove alert_actions.conf from the slave_app, they wont ever be needed on an indexer.

If my comment helps, please give it a thumbs up!
0 Karma

vgollapudi
Communicator
0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

Industry Solutions for Supply Chain and OT, Amazon Use Cases, Plus More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...