Open lamonica-a opened 1 year ago
:tada: Thanks for opening your first issue here! Welcome to the community!
Hello,
The add-on should be installed everywhere except for Universal Forwarders. If you are using a Heavy forwarder then it needs to be installed there too.
Splunk Node | What to install |
---|---|
Search Head | Add-on and App |
Indexer | Add-on only |
Heavy Forwarder | Add-on only |
Universal Forwarder | None |
@paulmnguyen
Is this also the case for a Single Instance Splunk Environment?
Also, could I configure this with just the Add-on installed on the Search head & Indexer, and not have the App installed on the Search head?
Yes, that is correct only the TA is needed for parsing. I'm not sure I understand your question in regards to the single instance environment.
@paulmnguyen https://docs.splunk.com/Documentation/Splunk/9.0.4/Overview/AboutSplunkEnterprisedeployments
Single-instance deployments In small deployments, one instance of Splunk Enterprise handles all aspects of processing data, from input through indexing to search. A single-instance deployment can be useful for testing and evaluation purposes and might serve the needs of department-sized environments.
Distributed deployments To support larger environments where data originates on many machines, where you need to process large volumes of data, or where many users need to search the data, you can scale the deployment by distributing Splunk Enterprise instances across multiple machines. This is known as a "distributed deployment".
In a typical distributed deployment, each Splunk Enterprise instance performs a specialized task and resides on one of three processing tiers corresponding to the main processing functions:
Data input tier Indexer tier Search management tier
@paulmnguyen Also, my SA confirmed that the Add-on is on all indexers located in “Slave Apps”, and are installed on the search heads per the instructions for the Add-on.
What could be the issue?
Try running a search fro pan:* but set the time to "All Time"
Describe the bug
I am currently troubleshooting the Palo Alto Add-on in my Splunk Instance. https://splunkbase.splunk.com/app/2757
I am having the issue of having it populate logs against my palo alto appliances in my environment whenever I query my network index and sourcetype=pan:firewall
Expected behavior
I would expect data to populate tailored to the sourcetype of "pan:firewall" or "pan:*"
Current behavior
Currently, the add-on is installed only on the search heads. The PAN-OS appliances are sending syslog data to the syslog forwarder(s).
My Splunk environment is considered a Distrusted Instance Deployment. The palo alto log data comes from a syslog forwarder over UDP/514.
Possible solution
Does the add-on also need to be installed on the indexer AND forwarder(s)? Other configurations to take into account?
Screenshots
Query
Sourcetype Menu
pan:firewall view