All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why am I encountering Issues with Palo Alto lookups and permissions with a deployment?

mbelarde_splunk
Splunk Employee
Splunk Employee
‎03-13-2018 09:51 AM

Hello there,

I am having issues with an deployment in which when using a non-admin role for a user, when I search using, let's say the Search app, I have the following output:

• The limit has been reached for log messages in info.csv. 69 messages have not been written to info.csv. Please refer to search.log for these messages or limits.conf to configure this limit.
• [idx-i-1] The lookup table 'app_lookup' does not exist. It is referenced by configuration 'pan:threat'.
• [idx-i-1] The lookup table 'app_lookup' does not exist. It is referenced by configuration 'pan:traffic'.
• [idx-i-1] The lookup table 'classification_lookup' does not exist. It is referenced by configuration 'pan:hipmatch'.
• [idx-i-1] The lookup table 'classification_lookup' does not exist. It is referenced by configuration 'pan:threat'.
• [idx-i-1] The lookup table 'classification_lookup' does not exist. It is referenced by configuration 'pan:traffic'.
• [idx-i-1] The lookup table 'classification_lookup' does not exist. It is referenced by configuration 'pan:traffic'.
• [idx-i-1] The lookup table 'endpoint_actions_lookup' does not exist. It is referenced by configuration 'pan:endpoint'.
• [idx-i-1] The lookup table 'endpoint_severity_lookup' does not exist. It is referenced by configuration 'pan:endpoint'.
• [idx-i-1] The lookup table 'pan_vendor_action_lookup' does not exist. It is referenced by configuration 'pan:threat'.
• [idx-i-1] The lookup table 'pan_vendor_action_lookup' does not exist. It is referenced by configuration 'pan:traffic'.
• [idx-i-1] The lookup table 'pan_vendor_info_lookup' does not exist. It is referenced by configuration 'pan:aperture'.
• [idx-i-1] The lookup table 'pan_vendor_info_lookup' does not exist. It is referenced by configuration 'pan:config'.
• [idx-i-1] The lookup table 'pan_vendor_info_lookup' does not exist. It is referenced by configuration 'pan:hipmatch'.
• [idx-i-1] The lookup table 'pan_vendor_info_lookup' does not exist. It is referenced by configuration 'pan:system'.
• [idx-i-1] The lookup table 'pan_vendor_info_lookup' does not exist. It is referenced by configuration 'pan:threat'.
• [idx-i-1] The lookup table 'pan_vendor_info_lookup' does not exist. It is referenced by configuration 'pan:traffic'.
• [idx-i-1] The lookup table 'sanctioned_saas_lookup' does not exist. It is referenced by configuration 'pan:threat'.
• [idx-i-1] The lookup table 'sanctioned_saas_lookup' does not exist. It is referenced by configuration 'pan:traffic'.

Does anyone know what this is related to?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

qi3ber
Explorer
‎03-13-2018 12:27 PM

Assuming you're using the same search head for both the admin and non-admin searches. I would recommend checking the permissions on the lookup tables referenced in the above errors. My guess is that the read permissions on those lookup tables are restricted to admin only, which makes the non-admin user run into errors. It's also worth checking the permissions on the underlying lookup files those tables are using as well, but I believe that those errors are related to the tables themselves.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

qi3ber
Explorer
‎03-13-2018 12:27 PM

Assuming you're using the same search head for both the admin and non-admin searches. I would recommend checking the permissions on the lookup tables referenced in the above errors. My guess is that the read permissions on those lookup tables are restricted to admin only, which makes the non-admin user run into errors. It's also worth checking the permissions on the underlying lookup files those tables are using as well, but I believe that those errors are related to the tables themselves.

0 Karma
Reply
Solved! Jump to solution

mbelarde_splunk
Splunk Employee
Splunk Employee
‎03-13-2018 01:34 PM

Hey qi3ber,

I just checked adjusted the "Lookup table files" and "Lookup definitions" and they had permissions assigned to only the app, not everyone as required.

That did the job although it seems that the permissions were not cascade down to the objects when assigned the read permission to the app itself (this is the Splunk_TA_paloalto throught "Manage Apps"). Is this the normal behaviour?

Thanks!

M.

0 Karma
Reply
Solved! Jump to solution

mbelarde_splunk
Splunk Employee
Splunk Employee
‎03-13-2018 09:53 AM

Palo Alto App version: 6.0.1 / Splunk_TA_paloalto: 6.0.2

0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...