Hello,
When attempting to distribute the Palo Alto Networks Add-on for Splunk, I'm receiving the following errors from Splunk regarding the push. This is on the currently deployed version of the Palo Alto Networks Add-on for Splunk on Splunkbase. I'm currently running 6.3.0.1. What ideas do you have or steps should I take to remediate this problem?
Invalid key in stanza [pantag] in /opt/splunk/etc/master-apps/Splunk_TA_paloalto/default/alert_actions.conf, line 18: param._cam (value: { "category" : ["Information Conveyance"], "task" : ["create", "delete", "allow", "block"], "subject" : ["network.firewall"], "technology" : [{"vendor":"Palo Alto Networks", "product":"Firewall"}], "drilldown_uri" : "../myapp/myview?form.sid=$orig_sid$&form.rid=$orig_rid$", "supports_adhoc" : true })
Invalid key in stanza [panwildfiresubmit] in /opt/splunk/etc/master-apps/Splunk_TA_paloalto/default/alert_actions.conf, line 38: param._cam (value: { "category" : ["Information Gathering"], "task" : ["scan"], "subject" : ["process.sandbox"], "technology" : [{"vendor":"Palo Alto Networks", "product":"WildFire"}], "drilldown_uri" : "../myapp/myview?form.sid=$orig_sid$&form.rid=$orig_rid$", "supports_adhoc" : true })
Here is what the config file in question looks like:
A bit of digging seems to show it's part of the adaptive response stuff, which if I'm not mistaken was first introduced in Splunk 6.5. Perhaps it was introduced in Splunk Enterprise Security 4.5 - either way, I suspect it's not supported in your version(s).
Please try commenting those lines out (should be able to prepend each line with a hash/pound sign #), or make a backup of the file and then delete them then restart Splunk. You'll want to remove/comment out everything from the line starting param._cam
through to the single }
at the end of each section. I suspect that will make those errors go away.
If that works, I'd send feedback to the app maintainers and let them know. Or something. 🙂
Had the same error on Splunk 6.5.1 Cluster (no Enterprise Security in use)!
for me solved after upgrade to 6.5.3
Since your problem is different from this one you should post a new question.
A bit of digging seems to show it's part of the adaptive response stuff, which if I'm not mistaken was first introduced in Splunk 6.5. Perhaps it was introduced in Splunk Enterprise Security 4.5 - either way, I suspect it's not supported in your version(s).
Please try commenting those lines out (should be able to prepend each line with a hash/pound sign #), or make a backup of the file and then delete them then restart Splunk. You'll want to remove/comment out everything from the line starting param._cam
through to the single }
at the end of each section. I suspect that will make those errors go away.
If that works, I'd send feedback to the app maintainers and let them know. Or something. 🙂
Splunk 6.4 is the version needed to support those stanza's
Thanks for this info!
This did work out for me thanks! Looks like we need to get ourselves onto the latest version here soon.