Threatlist Error after clean install of Palo Alto ...

kent_farries · ‎11-15-2017

I performed a clean installation of the Palo Alto Networks App 6.0 & Palo Alto Networks Add-on 6.0 on Splunk 7.0 with CIM 4.9.1 but got the following error.

Unable to initialize modular input "threatlist" defined inside the app "Splunk_TA_paloalto": Unable to locate suitable script for introspection.

Note:
At this time I only have Panorama 8.x and Wildfire setup. I do not have the other inputs like AutoFocus setup.

panguy · ‎11-15-2017

Thanks for pointing this out to us. We will get this fix into a next release.

In the meantime the work around is to go to:
/$SPLUNK_HOME/etc/apps/Splunk_TA_paloalto/README/inputs.conf.spec

Remove these lines at the bottom of the file:

[threatlist://<name>]
description =
interval =
disabled =
type =
url =

You will also need to comment out everything in the "MildMeld Inputs" section of the Splunk_TA_paloalto/default/inputs.conf file.

rpquinlan · ‎11-16-2017

After I removed those lines, when validating the cluster bundle for our index cluster, I received these errors:

`[Not Critical] Invalid key in stanza [threatlist://minemeld_ipv4threatlist] in D:\Splunk\etc\master-apps\Splunk_TA_paloalto\default\inputs.conf, line 23: description (value: MineMeld IPv4 threatlist indicators for Splunk ES).

[Not Critical] Invalid key in stanza [threatlist://minemeld_ipv4threatlist] in D:\Splunk\etc\master-apps\Splunk_TA_paloalto\default\inputs.conf, line 26: type (value: threatlist).

[Not Critical] Invalid key in stanza [threatlist://minemeld_ipv4threatlist] in D:\Splunk\etc\master-apps\Splunk_TA_paloalto\default\inputs.conf, line 27: url (value: lookup://minemeld_ipv4threatlist).

[Not Critical] Invalid key in stanza [threatlist://minemeld_domainthreatlist] in D:\Splunk\etc\master-apps\Splunk_TA_paloalto\default\inputs.conf, line 30: description (value: MineMeld Domain threatlist indicators for Splunk ES).

[Not Critical] Invalid key in stanza [threatlist://minemeld_domainthreatlist] in D:\Splunk\etc\master-apps\Splunk_TA_paloalto\default\inputs.conf, line 33: type (value: threatlist).

[Not Critical] Invalid key in stanza [threatlist://minemeld_domainthreatlist] in D:\Splunk\etc\master-apps\Splunk_TA_paloalto\default\inputs.conf, line 34: url (value: lookup://minemeld_domainthreatlist).

[Not Critical] Invalid key in stanza [threatlist://minemeld_urlthreatlist] in D:\Splunk\etc\master-apps\Splunk_TA_paloalto\default\inputs.conf, line 37: description (value: MineMeld URL threatlist indicators for Splunk ES).

[Not Critical] Invalid key in stanza [threatlist://minemeld_urlthreatlist] in D:\Splunk\etc\master-apps\Splunk_TA_paloalto\default\inputs.conf, line 40: type (value: threatlist).

[Not Critical] Invalid key in stanza [threatlist://minemeld_urlthreatlist] in D:\Splunk\etc\master-apps\Splunk_TA_paloalto\default\inputs.conf, line 41: url (value: lookup://minemeld_urlthreatlist).

[Not Critical] Invalid key in stanza [threatlist://minemeld_filethreatlist] in D:\Splunk\etc\master-apps\Splunk_TA_paloalto\default\inputs.conf, line 44: description (value: MineMeld file threatlist indicators for Splunk ES).

[Not Critical] Invalid key in stanza [threatlist://minemeld_filethreatlist] in D:\Splunk\etc\master-apps\Splunk_TA_paloalto\default\inputs.conf, line 47: type (value: threatlist).

[Not Critical] Invalid key in stanza [threatlist://minemeld_filethreatlist] in D:\Splunk\etc\master-apps\Splunk_TA_paloalto\default\inputs.conf, line 48: url (value: lookup://minemeld_filethreatlist).`

After commenting out everything in the "MildMeld Inputs" section of the Splunk_TA_paloalto/default/inputs.conf file, the validation was successful.
(We're not using any of that functionality)

panguy · ‎11-29-2017

I am updating my answer to include commenting out the lines in inputs.conf.

This bug will be fixed in version 6.0.1

kent_farries · ‎11-17-2017

After removing those lines I get these errors when starting Splunk which is similar to the error the other person got. My setup is single instance for testing so no cluster.

Invalid key in stanza [threatlist://minemeld_ipv4threatlist] in C:\Program Files\Splunk\etc\apps\Splunk_TA_paloalto\default\inputs.conf, line 23: description (value: MineMeld IPv4 threatlist indicators for Splunk ES).
Invalid key in stanza [threatlist://minemeld_ipv4threatlist] in C:\Program Files\Splunk\etc\apps\Splunk_TA_paloalto\default\inputs.conf, line 26: type (value: threatlist).
Invalid key in stanza [threatlist://minemeld_ipv4threatlist] in C:\Program Files\Splunk\etc\apps\Splunk_TA_paloalto\default\inputs.conf, line 27: url (value: lookup://minemeld_ipv4threatlist).
Invalid key in stanza [threatlist://minemeld_domainthreatlist] in C:\Program Files\Splunk\etc\apps\Splunk_TA_paloalto\default\inputs.conf, line 30: description (value: MineMeld Domain threatlist indicators for Splunk ES).
Invalid key in stanza [threatlist://minemeld_domainthreatlist] in C:\Program Files\Splunk\etc\apps\Splunk_TA_paloalto\default\inputs.conf, line 33: type (value: threatlist).
Invalid key in stanza [threatlist://minemeld_domainthreatlist] in C:\Program Files\Splunk\etc\apps\Splunk_TA_paloalto\default\inputs.conf, line 34: url (value: lookup://minemeld_domainthreatlist).
Invalid key in stanza [threatlist://minemeld_urlthreatlist] in C:\Program Files\Splunk\etc\apps\Splunk_TA_paloalto\default\inputs.conf, line 37: description (value: MineMeld URL threatlist indicators for Splunk ES).
Invalid key in stanza [threatlist://minemeld_urlthreatlist] in C:\Program Files\Splunk\etc\apps\Splunk_TA_paloalto\default\inputs.conf, line 40: type (value: threatlist).
Invalid key in stanza [threatlist://minemeld_urlthreatlist] in C:\Program Files\Splunk\etc\apps\Splunk_TA_paloalto\default\inputs.conf, line 41: url (value: lookup://minemeld_urlthreatlist).
Invalid key in stanza [threatlist://minemeld_filethreatlist] in C:\Program Files\Splunk\etc\apps\Splunk_TA_paloalto\default\inputs.conf, line 44: description (value: MineMeld file threatlist indicators for Splunk ES).
Invalid key in stanza [threatlist://minemeld_filethreatlist] in C:\Program Files\Splunk\etc\apps\Splunk_TA_paloalto\default\inputs.conf, line 47: type (value: threatlist).
Invalid key in stanza [threatlist://minemeld_filethreatlist] in C:\Program Files\Splunk\etc\apps\Splunk_TA_paloalto\default\inputs.conf, line 48: url (value: lookup://minemeld_filethreatlist).

rpquinlan · ‎11-17-2017

Kent - I commented every line out in the MineMeld Inputs section that starts with "[threatlist://minemeld_ipv4threatlist]" down to the bottom of the file, and that took care of the errors. We don't use the MineMeld functionality, so it didn't affect us.

jeffprandall · ‎11-15-2017

Same here. I did the upgrade to 6.0 App and Add On on Splunk 7.0 but my PA500 is only running 7.0.15

Task1906 · ‎11-15-2017

Same here. I did mine from an upgrade.

btorresgil · ‎11-15-2017

Thanks for opening this, can you tell me if you have Splunk Enterprise Security App installed? Also, any chance you can send a screenshot of the error?

jeffprandall · ‎11-15-2017

Not sure about @Task1906 but I am running the Free version of Splunk (less than 500mb)

Task1906 · ‎11-15-2017

No, I do not have it installed.

btorresgil · ‎11-15-2017

Thanks, looking into this now. In the meantime it shouldn't cause any problems except to be very annoying. 🙂

jeffprandall · ‎11-15-2017

Also my Web Activity now has no data were as before it did, not sure if that's related.

Threatlist Error after clean install of Palo Alto App and Add-on 6.0

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor