Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

HTTP Event Collector Error: Failed to send a test notification to the event collector URL with the provided auth token. Please check integration details and try again.

hfernandez_
Path Finder
‎12-02-2019 02:18 PM

Hi All,

I'm currently trying to integrate Palo Alto's Primsa Cloud with our on-prem HEC on an on-prem HF (via documentation: https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin/configure-external-integrat...) and I get the following error when I try to test the connection:

Failed to send a test notification to the event collector URL with the provided auth token. Please check integration details and try again.

On the Splunk HF, I have configured the HEC with the following:
Global Settings:
All Tokens: Enabled
Default Source Type: _json
Default Index: Default
Default Output Group: None
Use Deployment Server: Checked
Enable SSL: Checked
HTTP Port Number: 8088

Created a token:
Name: prisma_hec
Source: prismacloud
Set Source Type: _json
Select Allowed Indexes: prisma

On the Prisma Cloud side (based on that link above):

Integration Type: Splunk
Integration Name: prisma_hec
Splunk HTTP event collector URL: https://hec_ip:8088/services/collector/event
Auth Token: token

When I test the connection, I get that error above.

Since we have the incoming IP addresses locked down to the Cloud Prisma server, we can't simply test. I'm going to submit a request to allow another local IP address for testing the connection. From the doc: https://docs.splunk.com/Documentation/Splunk/7.3.3/Data/UsetheHTTPEventCollector, I have the right configuration and URL. Has anyone see this before and can point me in the right direction for troubleshooting?

I appreciate any help.

Thanks,
Herman

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

hfernandez_
Path Finder
‎12-20-2019 12:52 PM

Ok, coming back to share my solution. We changed our solution to use our Splunk Cloud HEC vs the on-prem HEC.

The Splunk Cloud HEC URL to use is:

curl -k https://http-inputs-<splunk_cloud_url>:443/services/collector/event -H "Authorization: Splunk <token>" -d '{"event": "hello world"}'

Everything went well and Prisma Events are being ingested into Splunk in json format. Hope this helps.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

hfernandez_
Path Finder
‎12-20-2019 12:52 PM

Ok, coming back to share my solution. We changed our solution to use our Splunk Cloud HEC vs the on-prem HEC.

The Splunk Cloud HEC URL to use is:

curl -k https://http-inputs-<splunk_cloud_url>:443/services/collector/event -H "Authorization: Splunk <token>" -d '{"event": "hello world"}'

Everything went well and Prisma Events are being ingested into Splunk in json format. Hope this helps.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Quantify Your Splunk Investment Impact: Introducing Savings Metrics to Value Insights

Building on the foundation established in our initial Value Insights releases, we are introducing the Savings ...

Event Series: Telemetry Pipeline Management

Balancing Scale and Spend: Gaining Control Over High-Volume Metrics in Splunk Observability Cloud As ...

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Evaluating an enterprise observability platform usually goes like this: fill out a form, get a free trial with ...