Getting Data In

HTTP Event Collector Error: Failed to send a test notification to the event collector URL with the provided auth token. Please check integration details and try again.

hfernandez_
Path Finder

Hi All,

I'm currently trying to integrate Palo Alto's Primsa Cloud with our on-prem HEC on an on-prem HF (via documentation: https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin/configure-external-integrat...) and I get the following error when I try to test the connection:

Failed to send a test notification to the event collector URL with the provided auth token. Please check integration details and try again.

On the Splunk HF, I have configured the HEC with the following:
Global Settings:
All Tokens: Enabled
Default Source Type: _json
Default Index: Default
Default Output Group: None
Use Deployment Server: Checked
Enable SSL: Checked
HTTP Port Number: 8088

Created a token:
Name: prisma_hec
Source: prismacloud
Set Source Type: _json
Select Allowed Indexes: prisma

On the Prisma Cloud side (based on that link above):

Integration Type: Splunk
Integration Name: prisma_hec
Splunk HTTP event collector URL: https://hec_ip:8088/services/collector/event
Auth Token: token

When I test the connection, I get that error above.

Since we have the incoming IP addresses locked down to the Cloud Prisma server, we can't simply test. I'm going to submit a request to allow another local IP address for testing the connection. From the doc: https://docs.splunk.com/Documentation/Splunk/7.3.3/Data/UsetheHTTPEventCollector, I have the right configuration and URL. Has anyone see this before and can point me in the right direction for troubleshooting?

I appreciate any help.

Thanks,
Herman

Tags (1)
0 Karma
1 Solution

hfernandez_
Path Finder

Ok, coming back to share my solution. We changed our solution to use our Splunk Cloud HEC vs the on-prem HEC.

The Splunk Cloud HEC URL to use is:

curl -k https://http-inputs-<splunk_cloud_url>:443/services/collector/event -H "Authorization: Splunk <token>" -d '{"event": "hello world"}'

Everything went well and Prisma Events are being ingested into Splunk in json format. Hope this helps.

View solution in original post

0 Karma

hfernandez_
Path Finder

Ok, coming back to share my solution. We changed our solution to use our Splunk Cloud HEC vs the on-prem HEC.

The Splunk Cloud HEC URL to use is:

curl -k https://http-inputs-<splunk_cloud_url>:443/services/collector/event -H "Authorization: Splunk <token>" -d '{"event": "hello world"}'

Everything went well and Prisma Events are being ingested into Splunk in json format. Hope this helps.

0 Karma
Get Updates on the Splunk Community!

Routing Data to Different Splunk Indexes in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...

Getting Started with AIOps: Event Correlation Basics and Alert Storm Detection in ...

Getting Started with AIOps:Event Correlation Basics and Alert Storm Detection in Splunk IT Service ...

Register to Attend BSides SPL 2022 - It's all Happening October 18!

Join like-minded individuals for technical sessions on everything Splunk!  This is a community-led and run ...