Apparently I need the app to be able to use it's Panorama integration. But I don't think that I need the 100+GB of index that it is trying to create (I am OK with just using Splunk ES's Network Traffic datamodel)
Is there a way for me to keep the PaloAlto App from trying to index everything on my ES Server?
So the answer is
credit for this answer really goes to adonio
So the answer is
credit for this answer really goes to adonio
Hello MonkeyK,
can you elaborate?
i dont think that the latest version PAN app or TA comes with the pan index. also, I am not exactly clear how using the ES Network Traffic DM is related to that. The app by itself does not index anything, and it is recommended to have only the TA where ES is installed.
you can point the data to wherever you would like. how does your splunk environement looks like?
regarding panorama, follow the docs to bring that data in.
hope it helps
Hi adonio,
We have installed PAN app 5.2 because TA 3.6.1 is already on our indexer. When PAN app was installed it started building the PAN firewalls logs datamodel.
our environment is
2xSplunk Indexer and then two search heads for Splunk Core and another two search heads for Splunk ES.
As noted we had TA 3.6.1 on the indexers
Splunk Core already had PAN app 5.2
I want to be able to use pantag on Splunk ES, so our options were to upgrade indexers and Splunk Core to 3.7.1/5.3.1 or just install PAN app 5.2 on the ES search head. My admin prefers the later.
The problem is that the PAN firewalls data model is going to eat 100GB+ and while it builds other datamodels are suffering. These are two seperate problems:
-We have not planned for the extra 100GB+ of datamodel
-my Network_Traffic datamodel (part of ES) based searches are not working correctly.
If this is a limitation, it will be a real shame since pantag has the potential to be a huge step up in our security posture.
the PAN data models: Palo Alto Networks Endpoint Logs, Palo Alto Networks Firewall Logs, and Palo Alto Networks WildFire Malware Reports are defined in the Palo Alto App (not the TA)
install the TA on all your instances. DO NOT install the app on the ES search head. for the reasons you mentioned above.
docs specificly tells that ES has to be installed by itself. read here more: http://docs.splunk.com/Documentation/ES/4.7.0/Install/DeploymentPlanning
Unfortunately, we tried the PAN App 5.2 first. Did not realize that this messes with the Splunk ES datamodels until much later. Found this answer describing it:
https://answers.splunk.com/answers/337816/why-does-a-tstats-search-for-an-accelerated-data-m.html
We disabled the PAN firewall data model acceleration but I think that the PAN data modeling is still messing with Splunk ES datamodels