- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- What is causing the issue with Palo Alto Add-On wi...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What is causing the issue with Palo Alto Add-On with a Splunk Distributed Deployment?
I'm trying to install the PAN App and Add-on from Splunk base:
PAN App - 6.0.1
PAN Add-on - 6.0.2
My environment Splunk Enterprise 6.4.5 (distributed)
Following documentation on (https://splunk.paloaltonetworks.com/installation.html)
1. I installed Add-on and App on the Search-Head Server with no issues
2. Then I unzip and untar Add-on and added to Master Apps on the Cluster Master Server
3. Then I tried to Distribute the configuration bundle (so Splunk Cluster Master pushes the Add-on into the Indexers as a SlaveApp). But It failed with this message:
"In handler 'clustermastercontrol': The Master could not push the latest configuration bundle because it contains an invalid configuration. Fix any errors and push the bundle again. Alternatively, you can skip the validation process like this: "splunk apply cluster-bundle --skip-validation". Use this option carefully, as it can cause the master to push an invalid configuration to the peers. The following errors were encountered: No spec file for: /opt/splunk/etc/master-apps/Splunk_TA_paloalto/default/addon_builder.conf ; Invalid key in stanza [pantag] in /opt/splunk/etc/master-apps/Splunk_TA_paloalto/default/alert_actions.conf, line 18: param._cam (value: { "category" : ["Information Conveyance"], "task" : ["create", "delete", "allow", "block"], "subject" : ["network.firewall"], "technology" : [{"vendor":"Palo Alto Networks", "product":"Firewall"}], "drilldown_uri" : "../myapp/myview?form.sid=$orig_sid$&form.rid=$orig_rid$", "supports_adhoc" : true }). ; Invalid key in stanza [panwildfiresubmit] in /opt/splunk/etc/master-apps/Splunk_TA_paloalto/default/alert_actions.conf, line 38: param._cam (value: { "category" : ["Information Gathering"], "task" : ["scan"], "subject" : ["process.sandbox"], "technology" : [{"vendor":"Palo Alto Networks", "product":"WildFire"}], "drilldown_uri" : "../myapp/myview?form.sid=$orig_sid$&form.rid=$orig_rid$", "supports_adhoc" : true }). ;No spec file for: /opt/splunk/etc/master-apps/Splunk_TA_paloalto/default/splunk_ta_paloalto_settings.conf"
I haven't really modified much, just changed the index from default to ix_pan_logs (so I can identify how much data is going there and manage it properly in the future). For doing this I just created a 'local' folder within the Add-on . I copied the inputs.conf from the default folder within the Add-on. Then edited that copied inputs.conf file
This is how it looks like:
Default Settings for AutoFocus Export List
[autofocus_export]
index = ix_pan_logs
start_by_shell = false
sourcetype = AutoFocus
interval = 3200
[aperture]
sourcetype = pan:aperture
#################
MineMeld inputs
#################
[minemeld_feed]
index = ix_pan_logs
start_by_shell = false
sourcetype = pan:minemeld
interval = 30
I reviewed the error message and all the files seems to exist, so not sure how to resolve the problem.
No spec file for: /opt/splunk/etc/master-apps/Splunk_TA_paloalto/default/addon_builder.conf
Here is the content of that file:
this file is generated by add-on builder automatically
please do not edit it
[base]
builder_version = 2.2.0
builder_build = 12
is_edited = 0
Invalid key in stanza [pantag] in /opt/splunk/etc/master-apps/Splunk_TA_paloalto/default/alert_actions.conf, line 18: param._cam
Here is the content of that file:
[pantag]
is_custom = 1
label = PAN : Tag to Dynamic Address Group
description = Add/remove Palo Alto Networks dynamic address group tag
icon_path = appicon.png
payload_format = json
ttl = 240
command = sendalert $action_name$ param.action=$device$ param.action=$action$ param.tag=$tag$ | stats count
track_alert = 1
param._cam = {\
"category" : ["Information Conveyance"],\
"task" : ["create", "delete", "allow", "block"],\
"subject" : ["network.firewall"],\
"technology" : [{"vendor":"Palo Alto Networks", "product":"Firewall"}],\
"drilldown_uri" : "../myapp/myview?form.sid=$orig_sid$&form.rid=$orig_rid$",\
"supports_adhoc" : true\
}
[panwildfiresubmit]
is_custom = 1
label = PAN : Submit URL to WildFire
description = Palo Alto Networks WildFire analyzes the URL for malware
icon_path = appicon.png
payload_format = json
ttl = 240
command = sendalert $action_name$ | stats count
track_alert = 1
param._cam = {\
"category" : ["Information Gathering"],\
"task" : ["scan"],\
"subject" : ["process.sandbox"],\
"technology" : [{"vendor":"Palo Alto Networks", "product":"WildFire"}],\
"drilldown_uri" : "../myapp/myview?form.sid=$orig_sid$&form.rid=$orig_rid$",\
"supports_adhoc" : true\
}
No spec file for: /opt/splunk/etc/master-apps/Splunk_TA_paloalto/default/splunk_ta_paloalto_settings.conf"
Content of the file:
[proxy]
[logging]
[additional_parameters]
Any comments/guide will be really appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I would remove alert_actions.conf from the slave_app, they wont ever be needed on an indexer.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This link might help you
https://answers.splunk.com/answers/471287/palo-alto-networks-add-on-for-splunk-how-to-resolv.html
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
