topic Re: Issues with pan: Why is firewall_cloud parser not parsing logs from Cortex Data Lake? in Splunk Enterprise Security https://community.splunk.com/t5/Splunk-Enterprise-Security/Issues-with-pan-Why-is-firewall-cloud-parser-not-parsing-logs/m-p/671329#M11822 <P>TYVM for the reply and info</P> Sat, 09 Dec 2023 00:53:05 GMT JRW 2023-12-09T00:53:05Z Issues with pan: Why is firewall_cloud parser not parsing logs from Cortex Data Lake? https://community.splunk.com/t5/Splunk-Enterprise-Security/Issues-with-pan-Why-is-firewall-cloud-parser-not-parsing-logs/m-p/629196#M11288 <P>We are having issues with pan:firewall_cloud parser (which came with the Palo Alto Netowrks Add-on) not parsing logs from Cortex Data Lake. We are centralizing all of our SASE Prisma and Firewall logs into the Cortex Data Lake and then streaming them from there to Splunk Cloud via the HEC. When I configure that HEC to use the Source Type of pan:firewall_cloud, which was recommended in the setup docs,&nbsp; we don't get field extraction. When I use a standard _json parser it extracts all fields as expected. Is anyone else having this issue? Is there a fix? I can't use any of the Palo dashboards and there is no CIM normalization happening without that official Add-on parser working.&nbsp;</P> Wed, 01 Feb 2023 18:36:37 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Issues-with-pan-Why-is-firewall-cloud-parser-not-parsing-logs/m-p/629196#M11288 Dave2d 2023-02-01T18:36:37Z Re: Issues with pan: Why is firewall_cloud parser not parsing logs from Cortex Data Lake? https://community.splunk.com/t5/Splunk-Enterprise-Security/Issues-with-pan-Why-is-firewall-cloud-parser-not-parsing-logs/m-p/629215#M11289 <P>It's possible the app is out-of-date with Cortex Data Lake.&nbsp; The app is supported by Palo Alto so you should contact them at&nbsp;<A href="https://splunk.paloaltonetworks.com/support.html" target="_blank">https://splunk.paloaltonetworks.com/support.html</A></P> Wed, 01 Feb 2023 19:13:42 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Issues-with-pan-Why-is-firewall-cloud-parser-not-parsing-logs/m-p/629215#M11289 richgalloway 2023-02-01T19:13:42Z Re: Issues with pan: Why is firewall_cloud parser not parsing logs from Cortex Data Lake? https://community.splunk.com/t5/Splunk-Enterprise-Security/Issues-with-pan-Why-is-firewall-cloud-parser-not-parsing-logs/m-p/655356#M11670 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/253456">@Dave2d</a>&nbsp; &nbsp;Did you ever find a resolution for this issue?&nbsp; Thanks!</P> Wed, 23 Aug 2023 14:45:51 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Issues-with-pan-Why-is-firewall-cloud-parser-not-parsing-logs/m-p/655356#M11670 star_lord 2023-08-23T14:45:51Z Re: Issues with pan: Why is firewall_cloud parser not parsing logs from Cortex Data Lake? https://community.splunk.com/t5/Splunk-Enterprise-Security/Issues-with-pan-Why-is-firewall-cloud-parser-not-parsing-logs/m-p/655366#M11672 <P>Yes we did get the pan:firewall_cloud working. I am not sure why we were having issues at first, but we are good to go now.&nbsp;</P> Wed, 23 Aug 2023 15:37:39 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Issues-with-pan-Why-is-firewall-cloud-parser-not-parsing-logs/m-p/655366#M11672 Dave2d 2023-08-23T15:37:39Z Re: Issues with pan: Why is firewall_cloud parser not parsing logs from Cortex Data Lake? https://community.splunk.com/t5/Splunk-Enterprise-Security/Issues-with-pan-Why-is-firewall-cloud-parser-not-parsing-logs/m-p/655542#M11674 <P>Can you please share how you fixed the issue?</P><P>Thx</P> Thu, 24 Aug 2023 20:05:17 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Issues-with-pan-Why-is-firewall-cloud-parser-not-parsing-logs/m-p/655542#M11674 JRW 2023-08-24T20:05:17Z Re: Issues with pan: Why is firewall_cloud parser not parsing logs from Cortex Data Lake? https://community.splunk.com/t5/Splunk-Enterprise-Security/Issues-with-pan-Why-is-firewall-cloud-parser-not-parsing-logs/m-p/671316#M11821 <P>We fixed this issue by changing the HEC endpoint that the data was being sent to from&nbsp;services/collector/raw&nbsp;to&nbsp;<BR />services/collector/event.<BR /><BR />More information here:<BR /><A href="https://docs.splunk.com/Documentation/Splunk/latest/Data/HECRESTendpoints" target="_blank">https://docs.splunk.com/Documentation/Splunk/latest/Data/HECRESTendpoints</A><BR /><BR /></P> Fri, 08 Dec 2023 21:09:13 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Issues-with-pan-Why-is-firewall-cloud-parser-not-parsing-logs/m-p/671316#M11821 star_lord 2023-12-08T21:09:13Z Re: Issues with pan: Why is firewall_cloud parser not parsing logs from Cortex Data Lake? https://community.splunk.com/t5/Splunk-Enterprise-Security/Issues-with-pan-Why-is-firewall-cloud-parser-not-parsing-logs/m-p/671329#M11822 <P>TYVM for the reply and info</P> Sat, 09 Dec 2023 00:53:05 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Issues-with-pan-Why-is-firewall-cloud-parser-not-parsing-logs/m-p/671329#M11822 JRW 2023-12-09T00:53:05Z