Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: HTTP Event Collector Error: Failed to send a ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi All,
I'm currently trying to integrate Palo Alto's Primsa Cloud with our on-prem HEC on an on-prem HF (via documentation: https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin/configure-external-integrat...) and I get the following error when I try to test the connection:
Failed to send a test notification to the event collector URL with the provided auth token. Please check integration details and try again.
On the Splunk HF, I have configured the HEC with the following:
Global Settings:
All Tokens: Enabled
Default Source Type: _json
Default Index: Default
Default Output Group: None
Use Deployment Server: Checked
Enable SSL: Checked
HTTP Port Number: 8088
Created a token:
Name: prisma_hec
Source: prismacloud
Set Source Type: _json
Select Allowed Indexes: prisma
On the Prisma Cloud side (based on that link above):
Integration Type: Splunk
Integration Name: prisma_hec
Splunk HTTP event collector URL: https://hec_ip:8088/services/collector/event
Auth Token: token
When I test the connection, I get that error above.
Since we have the incoming IP addresses locked down to the Cloud Prisma server, we can't simply test. I'm going to submit a request to allow another local IP address for testing the connection. From the doc: https://docs.splunk.com/Documentation/Splunk/7.3.3/Data/UsetheHTTPEventCollector, I have the right configuration and URL. Has anyone see this before and can point me in the right direction for troubleshooting?
I appreciate any help.
Thanks,
Herman
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok, coming back to share my solution. We changed our solution to use our Splunk Cloud HEC vs the on-prem HEC.
The Splunk Cloud HEC URL to use is:
curl -k https://http-inputs-<splunk_cloud_url>:443/services/collector/event -H "Authorization: Splunk <token>" -d '{"event": "hello world"}'
Everything went well and Prisma Events are being ingested into Splunk in json format. Hope this helps.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok, coming back to share my solution. We changed our solution to use our Splunk Cloud HEC vs the on-prem HEC.
The Splunk Cloud HEC URL to use is:
curl -k https://http-inputs-<splunk_cloud_url>:443/services/collector/event -H "Authorization: Splunk <token>" -d '{"event": "hello world"}'
Everything went well and Prisma Events are being ingested into Splunk in json format. Hope this helps.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Announcing Modern Navigation: A New Era of Splunk User Experience
Modernize your Splunk Apps – Introducing Python 3.13 in Splunk
Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...
