Splunk Enterprise Security

Can I have the Palo Alto App for Splunk without the index?

MonkeyK
Builder

Apparently I need the app to be able to use it's Panorama integration. But I don't think that I need the 100+GB of index that it is trying to create (I am OK with just using Splunk ES's Network Traffic datamodel)

Is there a way for me to keep the PaloAlto App from trying to index everything on my ES Server?

0 Karma
1 Solution

MonkeyK
Builder

So the answer is

credit for this answer really goes to adonio

View solution in original post

0 Karma

MonkeyK
Builder

So the answer is

credit for this answer really goes to adonio

0 Karma

adonio
Ultra Champion

Hello MonkeyK,
can you elaborate?
i dont think that the latest version PAN app or TA comes with the pan index. also, I am not exactly clear how using the ES Network Traffic DM is related to that. The app by itself does not index anything, and it is recommended to have only the TA where ES is installed.
you can point the data to wherever you would like. how does your splunk environement looks like?
regarding panorama, follow the docs to bring that data in.
hope it helps

0 Karma

MonkeyK
Builder

Hi adonio,
We have installed PAN app 5.2 because TA 3.6.1 is already on our indexer. When PAN app was installed it started building the PAN firewalls logs datamodel.

our environment is

2xSplunk Indexer and then two search heads for Splunk Core and another two search heads for Splunk ES.
As noted we had TA 3.6.1 on the indexers
Splunk Core already had PAN app 5.2
I want to be able to use pantag on Splunk ES, so our options were to upgrade indexers and Splunk Core to 3.7.1/5.3.1 or just install PAN app 5.2 on the ES search head. My admin prefers the later.

The problem is that the PAN firewalls data model is going to eat 100GB+ and while it builds other datamodels are suffering. These are two seperate problems:

-We have not planned for the extra 100GB+ of datamodel
-my Network_Traffic datamodel (part of ES) based searches are not working correctly.

If this is a limitation, it will be a real shame since pantag has the potential to be a huge step up in our security posture.

0 Karma

adonio
Ultra Champion

the PAN data models: Palo Alto Networks Endpoint Logs, Palo Alto Networks Firewall Logs, and Palo Alto Networks WildFire Malware Reports are defined in the Palo Alto App (not the TA)
install the TA on all your instances. DO NOT install the app on the ES search head. for the reasons you mentioned above.
docs specificly tells that ES has to be installed by itself. read here more: http://docs.splunk.com/Documentation/ES/4.7.0/Install/DeploymentPlanning

0 Karma

MonkeyK
Builder

Unfortunately, we tried the PAN App 5.2 first. Did not realize that this messes with the Splunk ES datamodels until much later. Found this answer describing it:

https://answers.splunk.com/answers/337816/why-does-a-tstats-search-for-an-accelerated-data-m.html

We disabled the PAN firewall data model acceleration but I think that the PAN data modeling is still messing with Splunk ES datamodels

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...