Update: (problems still persist...) I've removed my inputs.conf entry in my universal forwarders /opt/splunkforwarder/etc/system/local/inputs.conf and moved them into the TA's directory in /opt/splunkforwarder/etc/apps/Splunk_TA_paloalto/local/inputs.conf My apps inputs.conf contains the same entries that I had under Splunks ~etc/system/local/inputs.conf: [udp://5514] connection_host = ip sourcetype = pan:log index = pan_logs no_appending_timestamp = true pan:log is thus far the ONLY sourcetype being created, although at least some of my raw logs show signs that they should have gotten tagged as sourcetype pan:threat, see sample below Jan 20 11:02:31 PALO-ALTO1.somedomain.local 1,2016/01/20 11:02:31,007801001089,THREAT,url,0,2016/01/20 11:02:31,192.168.2.100,74.125.226.186,0.0.0.0,0.0.0.0,Guest Outbound,,,google-base,vsys1,Guest Trusted,Guest Untrusted,ethernet1/10,ethernet1/9,PAN Log Forwarding,2016/01/20 11:02:31,263889,1,55319,80,0,0,0xc000,tcp,alert,"googleads.g.doubleclick.net/pagead/gen_204?id=wfocus&gqid=la-fVtmbFYKLFGL_s-AD&qqid=CNXIw-fhuMoCFdEsTFodTv0Dlg&bglotd=1",(9999),web-advertisements,informational,client-to-server,938841822,0x0,192.168.0.0-192.168.255.255,US,0,text/html,0,,,5,,,,,,,,0 I've confirmed that I am indeed receiving traffic (tcpdump), and verified data sent to Indexers, and finally, verified that the Indexers are also receiving this traffic (also via tcpdump). My /opt/splunk/var/log/splunk/paloalto_ta_installer.log on my indexer contains the following: 2016-01-15 13:18:51,507 [INFO] Splunk App for Palo Alto Networks Dependency Manager: Exiting... 2016-01-19 17:46:25,073 [INFO] Splunk App for Palo Alto Networks Dependency Manager: Starting... 2016-01-19 17:46:25,130 [INFO] dependency Splunk_TA_paloalto not found - installing... 2016-01-19 17:46:25,130 [ERROR] unable to copy /opt/splunk/etc/apps/SplunkforPaloAltoNetworks/install/Splunk_TA_paloalto to /opt/splunk/etc/appsSplunk_TA_paloalto 2016-01-19 17:46:25,130 [ERROR] cannot copy tree '/opt/splunk/etc/apps/SplunkforPaloAltoNetworks/install/Splunk_TA_paloalto': not a directory Traceback (most recent call last): File "/opt/splunk/etc/slave-apps/SplunkforPaloAltoNetworks/bin/scripted_inputs/deploy_splunk_ta_paloalto.py", line 40, in install_dependency dir_util.copy_tree(src, dst) File "/opt/splunk/lib/python2.7/distutils/dir_util.py", line 128, in copy_tree "cannot copy tree '%s': not a directory" % src DistutilsFileError: cannot copy tree '/opt/splunk/etc/apps/SplunkforPaloAltoNetworks/install/Splunk_TA_paloalto': not a directory 2016-01-19 17:46:25,137 [INFO] Splunk App for Palo Alto Networks Dependency Manager: Exiting... My indexer DOES NOT contain an /opt/splunk/etc/slave-apps/Splunk_TA_paloalto directory, however my search heads do contain /opt/splunk/etc/apps/Splunk_TA_paloalto; perhaps not installed correctly, or at all? Thank you ... View more

Nevermind, I reread the docs, the listener wants sourcetype = pan:log. Still without proper data. ... View more

Based on feedback, seems I should remove my sourcetype definition on my UF's as stated above? sourcetype = pan:log Leaving just: [udp://5514] connection_host = ip index = pan_logs no_appending_timestamp = true ... View more

Thank you, will try further debugging. ... View more

Yup, that index is assigned to my admin role. ... View more

Yes, two decoders, one to capture non-SSL, the other to receive from a decryption device; both the same concentrator. Will send via PM. Thank you, -mi ... View more

Thank you Rui! With regards to the separate broker and concentrator, we are running our infra on VM's, and they came separate. Also, we are looking at how we will decrypt SSL traffic, thus far our plans require separate broker to decoder. I'll keep you posted on my install as I make progress, which won't be for a few weeks at best. ... View more

Yes, my PA recently denied an inbound SMTP connection. I am able to see the returned email, but the action never appears on my Splunk dash. ... View more

That was the fastest reply I've ever seen, thank you. This report is exactly what I was looking for. Is there any way to negate my internally allowed servers (internal SMTP servers, DNS servers, etc), presumably from a file, or ES? ... View more

Thank you, however I had already done this, and went a day prior; still unable to see other than benign. ... View more

I will try to populate it using Qualys... ... View more

Is extracting this information via SNMP on your roadmap? Kind regards, -mi ... View more

Hi Mikael; Thank you for your response, I don't recall adding the TA to my search head, but I just installed it; my results are much better, thank you! On another topic, how do I populate information like site, software versions, model, etc? By the way, awesome app, thank you! -mi ... View more

Read here: http://docs.splunk.com/Documentation/Splunk/6.2.5/Security/Getthird-partycertificatesforSplunkWeb "Splunk Web does not support private key passwords" You must to remove the passphrase altogether using an openssl command, then save the resulting certificate to a new one, pointing at that one. Be sure to place your changes in "etc/system/local/web.conf" Your new web.conf should look something like this: [settings] # # SSL certificate files. Paths are specified relative to SPLUNK_HOME # privKeyPath = etc/auth/splunkweb/splunk-new-cert.key caCertPath = etc/auth/splunkweb/splunk-new-cert.pem # enableSplunkWebSSL = true startwebserver = 1 httpport = 8000 enableSplunkWebSSL = true Be sure to follow best practices by disabling world read, write to these files, etc... HTH, -mi ... View more

Thank you Josh, I can offer up myself to test if needed. Regards, -mi ... View more

What does your "Output summary", on your NetFlow Integrator screen look like? Assuming you are running the NFI on the same host that contains a Universal Forwarder (UF), which you've already stated you are, it should contain it's own IP address, and a port, say 10514. Your inputs file in /opt/splunkforwarder/etc/system/local should read something like this: [udp://10514] index = flowintegrator sourcetype = flowintegrator disabled = false Sounds like you are missing the [udp://10514] piece. Also, where else did you install the TA? -mi ... View more