Solved: Re: Palo Alto Networks Add-on for Splunk: How to r...

goodsellt · ‎11-03-2016

Hello,

When attempting to distribute the Palo Alto Networks Add-on for Splunk, I'm receiving the following errors from Splunk regarding the push. This is on the currently deployed version of the Palo Alto Networks Add-on for Splunk on Splunkbase. I'm currently running 6.3.0.1. What ideas do you have or steps should I take to remediate this problem?

    Invalid key in stanza [pantag] in /opt/splunk/etc/master-apps/Splunk_TA_paloalto/default/alert_actions.conf, line 18: param._cam (value: { "category" : ["Information Conveyance"], "task" : ["create", "delete", "allow", "block"], "subject" : ["network.firewall"], "technology" : [{"vendor":"Palo Alto Networks", "product":"Firewall"}], "drilldown_uri" : "../myapp/myview?form.sid=$orig_sid$&form.rid=$orig_rid$", "supports_adhoc" : true })

Invalid key in stanza [panwildfiresubmit] in /opt/splunk/etc/master-apps/Splunk_TA_paloalto/default/alert_actions.conf, line 38: param._cam (value: { "category" : ["Information Gathering"], "task" : ["scan"], "subject" : ["process.sandbox"], "technology" : [{"vendor":"Palo Alto Networks", "product":"WildFire"}], "drilldown_uri" : "../myapp/myview?form.sid=$orig_sid$&form.rid=$orig_rid$", "supports_adhoc" : true })

Here is what the config file in question looks like:

Richfez · ‎11-03-2016

A bit of digging seems to show it's part of the adaptive response stuff, which if I'm not mistaken was first introduced in Splunk 6.5. Perhaps it was introduced in Splunk Enterprise Security 4.5 - either way, I suspect it's not supported in your version(s).

Please try commenting those lines out (should be able to prepend each line with a hash/pound sign #), or make a backup of the file and then delete them then restart Splunk. You'll want to remove/comment out everything from the line starting param._cam through to the single } at the end of each section. I suspect that will make those errors go away.

If that works, I'd send feedback to the app maintainers and let them know. Or something. 🙂

View solution in original post

splk · ‎11-27-2016

Had the same error on Splunk 6.5.1 Cluster (no Enterprise Security in use)!

pgrasswill · ‎05-30-2017

for me solved after upgrade to 6.5.3

richgalloway · ‎11-28-2016

Since your problem is different from this one you should post a new question.

---
If this reply helps you, Karma would be appreciated.

Richfez · ‎11-03-2016

A bit of digging seems to show it's part of the adaptive response stuff, which if I'm not mistaken was first introduced in Splunk 6.5. Perhaps it was introduced in Splunk Enterprise Security 4.5 - either way, I suspect it's not supported in your version(s).

Please try commenting those lines out (should be able to prepend each line with a hash/pound sign #), or make a backup of the file and then delete them then restart Splunk. You'll want to remove/comment out everything from the line starting param._cam through to the single } at the end of each section. I suspect that will make those errors go away.

If that works, I'd send feedback to the app maintainers and let them know. Or something. 🙂

panguy · ‎11-04-2016

Splunk 6.4 is the version needed to support those stanza's

goodsellt · ‎11-07-2016

Thanks for this info!

goodsellt · ‎11-04-2016

This did work out for me thanks! Looks like we need to get ourselves onto the latest version here soon.

Palo Alto Networks Add-on for Splunk: How to resolve "Invalid key in stanza" errors?

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio