Solved: How to Configure Palo Alto Add-On (Splunk_TA_paloa...

jl_Splunk · ‎03-16-2016

Hello,
I am trying to setup Palo Alto Add-On (Splunk_TA_paloalto 3.5.2) for Enterprise Security 4.0 (Splunk Enteprise 6.3.3). I already have the Palo Alto logs sending to the Forwarder. I have installed the Splunk_TA_paloalto (3.5.2) using the directions provided by Splunk for Palo Alto Networks "http://pansplunk.readthedocs.org/en/latest/getting_started.html#step-1-install-the-app-and-add-on" but it doesn't really provide a detailed instruction on how to configure the required files on the Forwarder and the Indexer. If I do not use the Palo Alto App, which inputs.conf do I follow? How do I create the pan_logs Indexes? Do I create the input using the 5.x or 4.x stanza? Can someone please advise or help?

ndesignhouse · ‎04-22-2016

On the HF, your inputs can be installed here:
$SPLUNK_HOME/etc/apps/Splunk_TA_paloalto/local/inputs.conf

Since you are using 3.5.2 you can use the 5.x stanza.

[udp://514]
sourcetype = pan:log
no_appending_timestamp = true

View solution in original post

ndesignhouse · ‎04-22-2016

On the HF, your inputs can be installed here:
$SPLUNK_HOME/etc/apps/Splunk_TA_paloalto/local/inputs.conf

Since you are using 3.5.2 you can use the 5.x stanza.

[udp://514]
sourcetype = pan:log
no_appending_timestamp = true

jl_Splunk · ‎04-22-2016

Thanks for help @ndesignhouse , I am able to search for the events now using the search string:

index=* sourcetype=pan*

The only difference from yours is that I am using the monitor stanza and using the Splunk_TA_paloalto 3.6 instead of 3.5.2.

[monitor:///home/splunk/remote/ipaddress*/*.log]
disabled = false
host_segment = 4
sourcetype = pan:log
no_appending_timestamp = true

ndesignhouse · ‎04-22-2016

Glad i could help : )

jl_Splunk · ‎04-22-2016

Does it have to be in UDP stanza? I have it on monitor because I have setup my HF server to save events received from PA Server to a specific directory.

I notice a latest version so I have installed Splunk_TA_paloalto 3.6 on my Deployer, HF, Indexer and SearchHead.

The below is what I have on my HF only. Currently, I still do not see any indexed data on the Indexer server. Am I missing some config steps on the Indexer or SearchHead server?

[monitor:///home/splunk/remote/ip/*.log]
disabled = false
host_segment = 4
sourcetype = pan:log
no_appending_timestamp = true

ndesignhouse · ‎04-22-2016

Yes you can use monitor. I use monitor as well. You won't need the no_appending_timestamp as that is an attribute for UDP only.

jl_Splunk · ‎04-20-2016

Hi @ndesignhouse, we are not using the UF. We setup PA server to send directly to the HF.

ndesignhouse · ‎04-21-2016

On the HF your inputs can be installed here:
$SPLUNK_HOME/etc/apps/Splunk_TA_paloalto/local/inputs.conf

Since you are using 3.5.2 you can use the 5.x stanza.

Have you tried this already?

ndesignhouse · ‎04-20-2016

Are you using the universal forwarder?

How to Configure Palo Alto Add-On (Splunk_TA_paloalto 3.5.2) for Enterprise Security 4.0 (Splunk Enteprise 6.3.3) on my Linux environment.

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases