I'm using the Palo Alto Networks App for Splunk 5.0 and have it working properly with one exception. The pantag command is returning an error and I'm not sure where to look in order to troubleshoot. Is there a debug log or some way to look for logs that are being created?
Here's my syntax:
| eval src_ip="10.14.80.114" | pantag device="10.12.96.13" tag="local-malware-infected"
I have a tag & address created on the palo firewall already, and I was able to use another command (panuserupdate) with success so I believe my authentication is working properly.
When I search 1index=_internal1 and look for pantag, I don't see any results, and there's nothing in $SPLUNK_HOME/var/log/splunk that looks promising.
There was a bug in the app - it's been updated to resolve the pantag issue:
https://splunkbase.splunk.com/app/491/
To debug further run your pantag with the additional flag appended:
debug="yes"
You can then run the following search to see if there are any errors on the Python side:
index=_internal sourcetype=splunk_python