Activity Feed
- Karma Re: Whats the difference between splunklib.* and splunk.Intersplunk for badarsebard. 06-05-2020 12:50 AM
- Karma Re: How does Splunk Enterprise Security work? for David. 06-05-2020 12:49 AM
- Karma Re: Splunk Enterprise Security: How to configure datamodel_summary effectively for performance? for mcronkrite. 06-05-2020 12:48 AM
- Karma Modular Input: Do we need to parse a "name" stanza if I have defined in my spec that my named stanza is default? for jhernandez_splu. 06-05-2020 12:47 AM
- Karma Simple Bubble Chart for rbw78. 06-05-2020 12:46 AM
- Karma Re: Search causes Splunk to crash for hexx. 06-05-2020 12:46 AM
- Karma Re: FireEye 2.0 app for Splunk for MarioM. 06-05-2020 12:46 AM
- Karma Re: Will the Splunk for FireEye app run on Splunk 5.0? for cpeteman. 06-05-2020 12:46 AM
- Karma Re: python or python sdk example for adding data via services/receivers/simple rest for Damien_Dallimor. 06-05-2020 12:46 AM
- Got Karma for Re: Question about Palo Alto Network. 06-05-2020 12:46 AM
- Got Karma for Re: python or python sdk example for adding data via services/receivers/simple rest. 06-05-2020 12:46 AM
- Got Karma for simple xml dashboard panel with time selection and tstats search, doesn't always comply with time selection. 06-05-2020 12:46 AM
- Got Karma for simple xml dashboard panel with time selection and tstats search, doesn't always comply with time selection. 06-05-2020 12:46 AM
- Got Karma for simple xml dashboard panel with time selection and tstats search, doesn't always comply with time selection. 06-05-2020 12:46 AM
- Got Karma for simple xml dashboard panel with time selection and tstats search, doesn't always comply with time selection. 06-05-2020 12:46 AM
- Got Karma for Re: Trying to configure Splunk app for Palo Alto. 06-05-2020 12:46 AM
- Got Karma for Re: Using Palo Alto with syslog server funneling to splunk. 06-05-2020 12:46 AM
- Got Karma for Re: Using Palo Alto with syslog server funneling to splunk. 06-05-2020 12:46 AM
- Got Karma for Re: No data showing on Splunk Palo Alto Networks App. 06-05-2020 12:46 AM
- Got Karma for Re: Splunk for PaloAlto after upgrading is not working. 06-05-2020 12:46 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 4 | |||
| 0 | |||
| 0 | |||
| 1 | |||
| 0 | |||
| 0 | |||
| 2 |
01-28-2015
09:18 AM
you might consider using an email address instead of the first name for the users.
... View more
04-30-2014
10:48 PM
i have not tried this. but here are some thoughts.
the PAN app accomplishes the config change by way of a custom command, panupdate. this command calls a script, panChange.py. you could:
1) install and configure the PAN app; provide credentials and information on your firewalls
2) create a search that pipes the nmap indexed IP's to panupdate. e.g.
<search to get nmap results> | rename <nmap ip field> AS addrip| panupdate device="<your firewall IP Address>" devicegroup="<device group of your firewall>" action="add" group=" "
a big advantage of installing the app is that your firewall credentials are stored encrypted.
if you don't want to install the PAN app and just use the script as your own custom command, you can find it here: https://github.com/PaloAltoNetworks-BD/SplunkforPaloAltoNetworks/blob/master/bin/panChange.py . there are comments in the python script that will help you navigate through the misc options.
if you choose to create your own custom command by copying the panChange.py, you will also need to add a commands.conf and searchbnf.conf file in $SPLUNK_home/etc/apps/ /local . recognize that if you choose to go down this path, you will be storing credentials for your firewall in clear text in this python script.
for more detail on custom commands, take a look at: http://blogs.splunk.com/2014/04/14/building-custom-search-commands-in-python-part-i-a-simple-generating-command/
... View more
03-05-2014
10:57 AM
Palo Alto customers receive an email with the latest threat file with a subject of "Application and Threat Content Update". the email contains a zip attachment, app-threat-db.zip. extracting the zip creates app-threat-db directory with applist.csv and threatlist.csv files. rename the files to app_list.csv and threat_list.csv (with underscores) and move them to the lookup folder for your app, $SPLUNK_HOME/etc/apps/SplunkforPaloAltoNetworks/lookups/
... View more
01-07-2014
06:25 PM
there is a fee for this. and it requires some agreement signing. please contact sales@splunk.com
... View more
01-07-2014
06:02 PM
as a splunk developer/partner, can i distribute a splunk forwarder (universal, lightweight or heavy) on my own platform ? e.g. my hardware produces a lot of data and i would like to include the splunk forwarder as part of the installed software on my hardware config. this way, my customers, if they are splunk customers, or if they want to try out splunk, can easily index the data from my device.
... View more
12-30-2013
02:10 PM
1 Karma
thanks Damien. the little preamble to this is that one needs to instantiate a client.connect object (service in the example). i followed this example for the connection setup. between your help and that, this was really painless. thank you.
import splunklib.client as client
HOST = "localhost"
PORT = 8089
USERNAME = "admin"
PASSWORD = "changeme"
# Create a Service instance and log in
service = client.connect(
host=HOST,
port=PORT,
username=USERNAME,
password=PASSWORD)
# Send an event over HTTP
# Retrieve the index for the data
myindex = service.indexes["obix"]
# Submit an event over HTTP
myindex.submit("This is my HTTP event", sourcetype="access_combined.log", host="local")
... View more
12-27-2013
12:58 PM
is there an example in the python sdk examples that i can follow to post data to a splunk index via the services/receivers/simple REST endpoint ? if not via python sdk, perhaps something using urllib2 or some other python standard library. i am currently using the python postprocess module with curl as described here. but there is probably a more elegant, sustainable, os independent, way to post data.
... View more
11-09-2013
09:09 PM
i would like to forward to data out of a splunk indexer to a non-splunk system. is there a way to do this via tcp using ssl ? the 'Forward data to third-party systems' page does not mention ssl: http://docs.splunk.com/Documentation/Splunk/6.0/Forwarding/Forwarddatatothird-partysystemsd
... View more
10-21-2013
03:26 PM
4 Karma
when using tstats/TSIDX and when using pivot/datamodel, the dashboard panels don't seem to heed the time range set in the time range picker for the dashboard. This doesn't happen all the time, but it happens a lot. and it happens in multiple dashboards. e.g. https://github.com/PaloAltoNetworks-BD/SplunkforPaloAltoNetworks/blob/develop/default/data/ui/views/traffic_overview.xml
If I add the following line to the WHERE clause of the tstats command, the problem goes away:
WHERE earliest=$earliest$ latest=$latest$
I checked the Splunk 6 known issues page but didn’t see anything about this. is this a bug or this 'is' the appropriate way to use tstats ?
i appreciate your insights.
monzy
... View more
07-24-2013
03:05 PM
can you paste your palo alto app's input stanza here please ?
... View more
07-22-2013
04:36 PM
1 Karma
hey Tina,
I think you have two different issues here. one is probably related to your splunk install and the other may be app related. lets focus on the app one for now.
what happens when you run this search by selecting All Time on the time selector ?
index=pan_logs | head 10
if you see results, ensure that the timestamps of the latest events are reasonably close to the current time in your timezone. the main dashboard is real-time. take a look at the other dashboards. are they empty too ? ensure that you select All Time in the time selector for those events.
if you dont' see logs as a result of this search and your dashboards are empty, ensure that the user you are logged in as, has access to the pan_logs index. you can confirm this by going to Manager, Access Controls, Roles, admin.Scroll down, in the Indexes section (last section), ensure that pan_logs is listed in the Selected search indexes.
... View more
07-19-2013
04:37 PM
is it possible for you to modify config files using the REST API steps documented here:
http://docs.splunk.com/Documentation/Splunk/5.0.3/RESTAPI/RESTconfigurations
... View more
06-24-2013
12:38 PM
yes. the rename is required. i would suggest that you ensure that your syslog source events your wireless controller have fields called "user account" and "IP address". if they are called something different, you will have to specify those fields.
... View more
06-24-2013
10:57 AM
yeah. just give them an additional field called, api_user or something. this will make it easier for you to find the associated api_key.
... View more
06-24-2013
10:50 AM
i would suggest that you have the user input the api key the same way as the user inputs the username and password. in the case of the apikey, you can give them a hint to have a username called, _api_key.
... View more
06-20-2013
10:33 PM
i think there is an unintended rename in the search command you posted. snipping up to the first pipe:
index=main sourcetype=syslog rename "user account" AS addruser |
your initial search is essentially looking for the term 'rename' in the log event itself. this is probably an unlikely occurrence in the log event. if so, the search doesn't really return anything. as a result, we don't really pass anything to panupdate.
that said, i agree, that panupdate should emit a better error message.
... View more
06-18-2013
12:54 PM
hey GMF,
did you configure a user name and password for your panorama when you installed the app ? also, there might be more info about this error in $SPLUNK_HOME/var/log/splunk/python.log.
... View more
05-17-2013
02:51 PM
this search seems to do the trick
index=blah | bucket _time span=1s | join _time [search index=_internal /services/receivers/simple? source=*/splunkd_access.log | bucket _time span=1s] | table user _raw
i used the bucket command so i can drop off milliseconds. one of the data sources has milliseconds and the other one doesn't.
... View more
05-17-2013
12:50 PM
can you find the threat log or the web traffic log when you do search ? e.g. what do you get results when you run the following search in the search bar
index=pan_logs threat | head 100
if you don't get any results then a change has to be made on the firewall side to send the appropriate logs. if you do get results and you are not seeing anything in a dashboard, then please share a couple of log lines so we can confirm that they match what the app expects.
... View more
05-17-2013
12:42 PM
i would like to report on the events submitted via the rest API by user. i have multiple users that submit data to splunk via the rest api. the request is recorded in _internal index as:
127.0.0.1 - user1 [16/May/2013:12:55:00.807 -0600] "POST /services/receivers/simple?source=fe_test&sourcetype=fe_xml&index=fe HTTP/1.1" 200 882 - - - 3ms
an example event may look like this:
<?xml version="1.0" encoding="utf-8"?><alerts appliance="gitest.fireeye.com" msg="normal" product="Web MPS" version="6.1.0.70271" xmlns="http://www.fireeye.com/alert/2011/AlertSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.fireeye.com/alert/2011/AlertSchema FireEyeAlert.xsd"><alert id="91" name="malware-object" severity="majr"><explanation analysis="content" protocol="tcp"><malware-detected><malware name="Trojan.Onlinegames" origid="2274" sid="2274" stype="duplicate-md5sum" type="exe"><downloaded-at>2012-07-23T08:30:39.062949</downloaded-at><md5sum>5352ffa20a29a2201074dcafccb0c9d2</md5sum><original>cao.exe</original><http-header>GET /cao/cao.exe HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; InfoPath.2)
Accept: */*
Host: google.netcdn.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Content-Length: 11539
Content-Type: application/octet-stream
i would like to find out the event corresponding to a submission and be able to present a table or be able to write an alert based on a combination of user and data in the submission.
i appreciate your insights.
... View more
- Tags:
- api
- correlation
- rest
05-09-2013
09:48 AM
thanks Neeraj. verified. edit_tcp is the way to rest 🙂
... View more
05-07-2013
09:45 PM
hello Michael,
in your input configuration please verify that your logs are going to the pan_logs index. you can check this by looking at the index field in the field discovery menu. if the index is 'main' or something else, you can check this by going to Manager - data inputs - your respective input ( UDP 514 is the default) - select the box that says More Settings - scroll down and chose the pan_logs index from the drop down.
if this doesn't fix it, please share the model number of your firewall, the os version and perhaps a sample log file. we have tested this app on PAN OS v5.
also, please share your inputs.conf file from $SPLUNK_HOME/etc/app/SplunkforPaloAltoNetworks/local/inputs.conf
... View more
04-16-2013
01:56 PM
1 Karma
Hello Jose,
There are instructions on the apps page. Short version, you will have to configure your Palo Alto firewall to forward to a Splunk sever. On the Splunk side, you will have to configure an input. The readme file in the apps directory has a sample inputs.conf stanza.
Cheers,
Monzy
(Typing with thumbs)
lets say that the PaloAlto is sending logs to UDP 5155 (the default is udp 514), here's a sample stanza for your inputs.conf
[udp://5155]
index= pan_logs
connection_host = ip
sourcetype = pan_log
no_appending_timestamp = true
... View more
04-06-2013
12:11 AM
Your error is probably due to a typo in your inputs.conf file. The Palo alto apps index is pan_logs and not the singular pan_log. Please edit your inputs.conf.
Cheers,
Monzy
... View more
04-01-2013
05:02 PM
thanks sideview 🙂
i wish there was a better answer.
... View more
