I do not have the app installed on the syslog server. The TA was the only one installed.
/opt/splunkforwarder/etc/apps/Splunk_TA_paloalto.
My inputs.conf looks like:
#Palo Alto Devices
[monitor:///var/log/data/palo/.../*]
disabled = 0
host_segment = 6
sourcetype = pan:log
no_appending_timestamp = true
ignoreOlderThan = 1d
index = pan_logs
blacklist = .gz$
The TA was also placed on the deployment server in deployment apps and deployed to the syslog server, the indexers (via the cluster master), and the search head.
Still nothing. I had it working and then it stopped. Not sure what I'm doing wrong. Either in syslog-ng or splunk
... View more