All Apps and Add-ons

Do we need to install the Palo Alto Networks App for Splunk on all of our indexers?

dapetersen
Loves-to-Learn

We want to install the app on our search head that is running our Security app. it seems silly to me to have to connect the app on all our indexers and search heads. the reason I am asking is that In the configuration, they want you to connect to the Palo Alto device in the app. Or can I just connect the app on my search head? Does any one have any details on this? I normally run a Universal forwarder that I am collecting our firewall logs from, it just forwards the data to the indexers.

0 Karma

lguinn2
Legend

You should carefully examine the app, but yes - usually an app has components that apply to multiple tiers in a distributed system.

Search heads: search-time processing needs configuration files for - dashboards, savedsearches.conf, tags.conf, eventtypes.conf, props.conf, transforms.conf and possibly other configuration files...

Indexers: parsing and index-time needs config files for - indexes.conf, props.conf, transforms.conf, and possibly other configuration files...

Forwarders: input time needs config files for - inputs.conf, props.conf and possibly other configuration files...

There is more information here: Where do I configure my Splunk settings?

dapetersen
Loves-to-Learn

Thanks you so much or the information, I was able to get data to my Splunk, but now I can not get the app to work, I do not show that I have a sourcetype as pan_log, I am getting data to my index called Pan_logs, I am using the 4.x inputs.conf as I am not on 5.x so this inputs file I do have on my universal forwarder as follows:
[udp://5514]
connection_host = ip
index = pan_logs
sourcetype = pan_log
no_appending_timestamp = true
disabled = 0

I have this configuration under each of my three indexers, I put it in the app under the local folder and also under the addon under the local folder.

Could use a little help here as well! again thank you for all your help.

0 Karma

btorresgil
Builder

I'm the App developer, and I can confirm that the Palo Alto Networks App (and the new Add-on) need to be installed on all the Search Heads, Indexers, and Heavy Forwarders. More details are available in the new Getting Started Guide: http://pansplunk.readthedocs.org/en/latest/getting_started.html If you're having trouble getting logs to be indexed or show up in searches, you can try using the Troubleshooting Guide: http://pansplunk.readthedocs.org/en/latest/troubleshoot.html

dapetersen
Loves-to-Learn

Thank you very much for the information, I am able to get data to Our Splunk environment, but now I can not get the app to work, I have add the inputs file as follows to my universal forwarder which load balances between all three of our indexers:

[udp://5514]
connection_host = ip
index = pan_logs
sourcetype = pan_log
no_appending_timestamp = true
disabled = 0

I have also added this stanza to the app and the addon in all the indexers and searhheads. the weird thing is that I do not see a sourcetype called pan_log in my data. Can I get a little assistance with this too.

0 Karma

lguinn2
Legend

When you searched for the sourcetype, did you include the index?

index=pan_logs sourcetype=pan_log

If you just searched sourcetype=pan_log, you will search the pan_logs index IF and only IF your role has been assigned to search the pan_logs index by default. (Usually that is not the case, even for an admin, unless you have specifically set the defaults for the role.)

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...