Splunk Enterprise

How to check whether the Palo Alto add on is working or not?

Mohanveera1
Explorer

Hello there,

 

Recently i have restarted the splunk from then splunk is showing an error message regarding Palo Alto network add on. And if i removed that add on, the problem will be resolved. But my query is how can i check that the add on is working in background for any purpose or not??? We are using Palo alto firewall, is this add on useful to collect the data from the palo alto firewall?? If i removed this add on does the logs of splunk will not be displayed in splunk? Please help me with this query...

 Thanks in advance.

Tags (1)
0 Karma

Mohanveera1
Explorer

Thank you @richgalloway  for your respose.

The TA we are using is Palo ALto Network Add on for splunk and the following link takes you to the add on page Palo Alto Networks Add-on for Splunk | Splunkbase app 2757 and also the error that we are seeing is attached. I have got a suggestion from one of my colleague that if we remove this add-on the problem will get solved. so please take a look and help me with this issue so that the problem can be solved. and tell me that removing the add-on will not cause any issue or not?

 

Mohanveera1_0-1650562322736.jpeg

 

0 Karma

richgalloway
SplunkTrust
SplunkTrust

That app contains several modular inputs.  Removing the app will also remove the inputs, which will stop them from ingesting their respective PAN data.  If you're not using the minemeld_feed data then you should be able to disable the input to stop the error message.

---
If this reply helps you, Karma would be appreciated.
0 Karma

PickleRick
Ultra Champion

TAs mostly serve two purposes.

1) Getting the data in - some (as the one you're using) have scripted/modular inputs which actively "pull" data from the sources. Apart from that many TAs define some index-time actions (indexed field extractions, ingest-time metadata overwrites and so on). This functionality "is performed" only once - as the events are getting ingested. After that, when the events are already indexed, this part of TA is not used anymore.

2) Helping search the data - TAs contain field extractions, lookups, calculated field definitions, mappings to CIM. This part is needed during every search that involves the events matching the sourcetypes "managed" by the TA.

So even if you're not actively receiving events from Palo Alto devices, as long as you have them indexed and you're searching them, you're using the TA.

If you have an all-in-one installation, the TA is just installed on it so it doesn't matter to you but in case of separate indexer and search-head layer, the 1) part is performed on indexers and/or heavy forwarders and the 2) part is performed on search-heads.

Anyway, in your case the problem - as clearly stated in the error message - is that the input for "minemeld_feed" (whatever that is) doesn't work. It might be due to misconfiguration or other reasons. You should verify with the app's documentation if you need it at all and either try to fix the configuration or simply disable that input altogether.

richgalloway
SplunkTrust
SplunkTrust

Some TAs ingest data and others only parse arriving data so we can't say what the effects of removing the TA are without know which one you're using.  Please share the exact name of the add-on you are using (a link to splunkbase would be helpful).  Please also share the error message.

---
If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...

Observability Highlights | January 2023 Newsletter

 January 2023New Product Releases Splunk Network Explorer for Infrastructure MonitoringSplunk unveils Network ...