Hello all,
I'm trying to install Palo Alto Add-On to integrate Cortex XDR on Splunk. I followed the steps in https://splunk.paloaltonetworks.com/cortex-xdr.html
configured Tenant Name, API Key ID and API Key but when tries to retrieve events this error it's logged:
File "/opt/splunk/etc/apps/Splunk_TA_paloalto/bin/splunk_ta_paloalto/aob_py3/requests/adapters.py", line 516, in send
raise ConnectionError(e, request=request)
requests.exceptions.ConnectionError: HTTPSConnectionPool(host='api-https', port=443): Max retries exceeded with url: //masked_tenant_name.xdr.masked_tenant_region.paloaltonetworks.com/.xdr.masked_tenant_region.paloaltonetworks.com/public_api/v1/incidents/get_incidents/ (Caused by NewConnectionError('<urllib3.connection.VerifiedHTTPSConnection object at 0x7f1afcb645d0>: Failed to establish a new connection: [Errno -2] Name or service not known'))
As you can see, after the message "Max retries exceeded with url:" the URL doesn't contain "https:", well this cannot be the problem.
The configuration it's this:
Name = DEV_XDR
Interval = 60
Index = default
Status = false
Tenant Namehttps://masked_tenant_name.xdr.masked_tenant_region.paloaltonetworks.com/
Tenant Region = masked_tenant_regionAPI Key ID********
API Key********
I tried "curl" from server with add-on to the tenant URL, and the URL can be reached
Before openning a case in Palo Alto, did anyone had this problem or similar before?
Hello,
I was able to solve this problem. In the "tenant name" filed when configuring, I added the full URL, not only the tenant name. That's the reason of duplicate URL in log.
I configured just tenant name and now it's working fine.
Thank you
@rivars You are a lifesaver! 🙂
Hello,
I was able to solve this problem. In the "tenant name" filed when configuring, I added the full URL, not only the tenant name. That's the reason of duplicate URL in log.
I configured just tenant name and now it's working fine.
Thank you