All Apps and Add-ons

Splunk and Palo Alto Cortex Data Lake: Data for global protect cloud service is not getting parsed.

shirishkamat84
Path Finder

We are ingesting the firewall data from the panorama and GP cloud service logs from Cortex and ingesting the data to the same index pan_logs with sourcetype=pan:log.

The logs from panorama are getting parsed properly, however, the data from the cortex data lake for global protect cloud service is not getting parsed. Does the Palo Alto Networks for Splunk add-on support data coming from Cortex? Any suggestions to make this work?

Labels (1)

swebb07g
Path Finder

I'm also curious about this.

0 Karma

hiren53
New Member

I am trying to get data from cortex data lake to our Splunk hosted on prem. We getting the logs but it’s garbage characters.

splunk is not able to open ssl input. Can you share splunk side config to make this work?

what were the parameters on inputs.conf and what third party CA you user and created pem files?

 

any help would be appreciated 

0 Karma

swebb07g
Path Finder

I don't think Cortex Data Lake supports SSL (assuming you mean https). It does support syslog over TLS though.

0 Karma

swebb07g
Path Finder

In case anyone else lands here, it appears Cortex Data Lake now supports forwarding directly to Splunk  via HTTP Event Collector (HEC).

https://docs.paloaltonetworks.com/cortex/cortex-data-lake/cortex-data-lake-getting-started/get-start...

0 Karma
Get Updates on the Splunk Community!

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...