Getting Data In
Highlighted

HTTP Event Collector Error: Failed to send a test notification to the event collector URL with the provided auth token. Please check integration details and try again.

Path Finder

Hi All,

I'm currently trying to integrate Palo Alto's Primsa Cloud with our on-prem HEC on an on-prem HF (via documentation: https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin/configure-external-integrat...) and I get the following error when I try to test the connection:

Failed to send a test notification to the event collector URL with the provided auth token. Please check integration details and try again.

On the Splunk HF, I have configured the HEC with the following:
Global Settings:
All Tokens: Enabled
Default Source Type: _json
Default Index: Default
Default Output Group: None
Use Deployment Server: Checked
Enable SSL: Checked
HTTP Port Number: 8088

Created a token:
Name: prisma_hec
Source: prismacloud
Set Source Type: _json
Select Allowed Indexes: prisma

On the Prisma Cloud side (based on that link above):

Integration Type: Splunk
Integration Name: prismahec
Splunk HTTP event collector URL: https://hec
ip:8088/services/collector/event
Auth Token: token

When I test the connection, I get that error above.

Since we have the incoming IP addresses locked down to the Cloud Prisma server, we can't simply test. I'm going to submit a request to allow another local IP address for testing the connection. From the doc: https://docs.splunk.com/Documentation/Splunk/7.3.3/Data/UsetheHTTPEventCollector, I have the right configuration and URL. Has anyone see this before and can point me in the right direction for troubleshooting?

I appreciate any help.

Thanks,
Herman

Tags (1)
0 Karma
Highlighted

Re: HTTP Event Collector Error: Failed to send a test notification to the event collector URL with the provided auth token. Please check integration details and try again.

Path Finder

Ok, coming back to share my solution. We changed our solution to use our Splunk Cloud HEC vs the on-prem HEC.

The Splunk Cloud HEC URL to use is:

curl -k https://http-inputs-<splunk_cloud_url>:443/services/collector/event -H "Authorization: Splunk <token>" -d '{"event": "hello world"}'

Everything went well and Prisma Events are being ingested into Splunk in json format. Hope this helps.

View solution in original post

0 Karma