All Apps and Add-ons

How to Configure Palo Alto Add-On (Splunk_TA_paloalto 3.5.2) for Enterprise Security 4.0 (Splunk Enteprise 6.3.3) on my Linux environment.

jl_Splunk
Engager

Hello,
I am trying to setup Palo Alto Add-On (Splunk_TA_paloalto 3.5.2) for Enterprise Security 4.0 (Splunk Enteprise 6.3.3). I already have the Palo Alto logs sending to the Forwarder. I have installed the Splunk_TA_paloalto (3.5.2) using the directions provided by Splunk for Palo Alto Networks "http://pansplunk.readthedocs.org/en/latest/getting_started.html#step-1-install-the-app-and-add-on" but it doesn't really provide a detailed instruction on how to configure the required files on the Forwarder and the Indexer. If I do not use the Palo Alto App, which inputs.conf do I follow? How do I create the pan_logs Indexes? Do I create the input using the 5.x or 4.x stanza? Can someone please advise or help?

0 Karma
1 Solution

ndesignhouse
Explorer

On the HF, your inputs can be installed here:
$SPLUNK_HOME/etc/apps/Splunk_TA_paloalto/local/inputs.conf

Since you are using 3.5.2 you can use the 5.x stanza.

[udp://514]
sourcetype = pan:log
no_appending_timestamp = true

View solution in original post

ndesignhouse
Explorer

On the HF, your inputs can be installed here:
$SPLUNK_HOME/etc/apps/Splunk_TA_paloalto/local/inputs.conf

Since you are using 3.5.2 you can use the 5.x stanza.

[udp://514]
sourcetype = pan:log
no_appending_timestamp = true

jl_Splunk
Engager

Thanks for help @ndesignhouse , I am able to search for the events now using the search string:

index=* sourcetype=pan*

The only difference from yours is that I am using the monitor stanza and using the Splunk_TA_paloalto 3.6 instead of 3.5.2.

[monitor:///home/splunk/remote/ipaddress*/*.log]
disabled = false
host_segment = 4
sourcetype = pan:log
no_appending_timestamp = true
0 Karma

ndesignhouse
Explorer

Glad i could help : )

0 Karma

jl_Splunk
Engager

Does it have to be in UDP stanza? I have it on monitor because I have setup my HF server to save events received from PA Server to a specific directory.

I notice a latest version so I have installed Splunk_TA_paloalto 3.6 on my Deployer, HF, Indexer and SearchHead.

The below is what I have on my HF only. Currently, I still do not see any indexed data on the Indexer server. Am I missing some config steps on the Indexer or SearchHead server?

[monitor:///home/splunk/remote/ip/*.log]
disabled = false
host_segment = 4
sourcetype = pan:log
no_appending_timestamp = true
0 Karma

ndesignhouse
Explorer

Yes you can use monitor. I use monitor as well. You won't need the no_appending_timestamp as that is an attribute for UDP only.

0 Karma

jl_Splunk
Engager

Hi @ndesignhouse, we are not using the UF. We setup PA server to send directly to the HF.

0 Karma

ndesignhouse
Explorer

On the HF your inputs can be installed here:
$SPLUNK_HOME/etc/apps/Splunk_TA_paloalto/local/inputs.conf

Since you are using 3.5.2 you can use the 5.x stanza.

Have you tried this already?

0 Karma

ndesignhouse
Explorer

Are you using the universal forwarder?

0 Karma
*NEW* Splunk Love Promo!
Snag a $25 Visa Gift Card for Giving Your Review!

It's another Splunk Love Special! For a limited time, you can review one of our select Splunk products through Gartner Peer Insights and receive a $25 Visa gift card!

Review:





Or Learn More in Our Blog >>