Hello Splunkers!
Need help with the Palo Alto TRAPS data not properly populating in the Palo Alto Networks App for Splunk "Endpoint" tab. All other tabs work perfectly.
1. Running Splunk Enterprise 6.4.0, CentOS7, PA App v5.2.0, PA ESM v3.4.0. Non-clustered environment.
2. I have a fresh install of the Palo Alto Networks App for Splunk and Palo Alto Networks Add-on for Splunk. The indexer and the search head have both the app and add-on installed per the developer. Permissions have been verified and no errors noted on restarting Splunk.
2. TRAPS ESM Syslog config updated to point to a Splunk Indexer on TCP 5144. Because I am using TCP I have commented out the inputs.conf entries. I assumed this is correct since this is TCP, not UDP.
3. A TCP Data Input was created on the indexer. Sourcetype set to "pan:log", App Context set to the PA App, method set to IP, and index set to "pan_logs".
4. Using the TRAPS test executable provided by PA Support we generated a number of malware events. Splunk sees the events coming into the pan_logs index. Sourcetype shows pan:log correctly. However, PA specific field extractions for TRAPS events appear to not be working as only the basic host, source, sourcetype, eventtype, index, and a few others are automatically discovered.
5. I have re-run the data models because someone in one of the other posts regarding this app was asked to do so.
6. End result... notta. Endpoint dashboard is still blank.
This is about as basic as it gets for installing apps in Splunk. Not sure what more needs to be done. Thoughts?
↧