Archive

Paxheaders problems

Builder

Both the Splunk for QualysGuard app and the Splunk for Palo Alto Networks app use something called Paxheaders and both of them throw errors at startup that prevent a clean restart.

What is Paxheaders? Why is it bundled with these apps? How do I troubleshoot it?

Here are some sample errors:

Error while parsing 'c:\program files\splunk\etc\apps\SplunkforPaloAltoNetworks\
default\data\ui\views\PaxHeader\system_overview.xml':
syntax error: line 1, column 0

Error while parsing 'c:\program files\splunk\etc\apps\SplunkforPaloAltoNetworks\default\data\ui\views\PaxHeader\threat_overview.xml':

syntax error: line 1, column 0

Error while parsing 'c:\programfiles\splunk\etc\apps\SplunkforPaloAltoNetworks\default\data\ui\views\PaxHeader\traffic_overview.xml':
syntax error: line 1, column 0

Error while parsing 'c:\program files\splunk\etc\apps\SplunkforPaloAltoNetworks\default\data\ui\views\PaxHeader\url_filtering.xml':
syntax error: line 1, column 0

Error while parsing 'c:\program files\splunk\etc\apps\SplunkforPaloAltoNetworks\default\data\ui\views\PaxHeader\web_req.xml':
syntax error: line 1, column 0

Error while parsing 'c:\program files\splunk\etc\apps\SplunkforPaloAltoNetworks\default\data\ui\views\PaxHeader\web_usage_report.xml':
syntax error: line 1, column 0

We're running 4.3.1.

Thx.

Craig

Tags (1)
0 Karma

Contributor

Actually it looks like it's because the install file was a tgz file and I wasn't using the tar command to unextract it properly. run tar -xvzf on the downloaded app file and it should display the directory structure properly without PaxHeaders included.

0 Karma

SplunkTrust
SplunkTrust

I've found that developers using a Mac sometimes accidentally include these files in the archive, I just remove them if they appear and let the developer know.

Tools like 7zip on Windows will show these files, where I suspect the tool the developer is using makes these files invisible.

0 Karma

Contributor

Anyone ever figure this out? I have been testing some apps on a splunk instance locally where I have the option to just install files from the UI and it works fine, but I've also noticed a PAX header file in all the subdirectories of the original install file. I'm wondering what these do?

0 Karma