Splunk Enterprise Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Issues with pan: Why is firewall_cloud parser not parsing logs from Cortex Data Lake?

Dave2d
Engager
‎02-01-2023 09:43 AM

We are having issues with pan:firewall_cloud parser (which came with the Palo Alto Netowrks Add-on) not parsing logs from Cortex Data Lake. We are centralizing all of our SASE Prisma and Firewall logs into the Cortex Data Lake and then streaming them from there to Splunk Cloud via the HEC. When I configure that HEC to use the Source Type of pan:firewall_cloud, which was recommended in the setup docs,  we don't get field extraction. When I use a standard _json parser it extracts all fields as expected. Is anyone else having this issue? Is there a fix? I can't use any of the Palo dashboards and there is no CIM normalization happening without that official Add-on parser working. 

Labels (1)
Labels
Tags (2)
0 Karma
Reply

star_lord
Explorer
‎08-23-2023 07:45 AM

@Dave2d   Did you ever find a resolution for this issue?  Thanks!

0 Karma
Reply

Dave2d
Engager
‎08-23-2023 08:37 AM

Yes we did get the pan:firewall_cloud working. I am not sure why we were having issues at first, but we are good to go now. 

Reply

JRW
Splunk Employee
Splunk Employee
‎08-24-2023 01:05 PM

Can you please share how you fixed the issue?

Thx

0 Karma
Reply

star_lord
Explorer
‎12-08-2023 01:09 PM

We fixed this issue by changing the HEC endpoint that the data was being sent to from services/collector/raw to 
services/collector/event.

More information here:
https://docs.splunk.com/Documentation/Splunk/latest/Data/HECRESTendpoints

Reply

JRW
Splunk Employee
Splunk Employee
‎12-08-2023 04:53 PM

TYVM for the reply and info

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎02-01-2023 11:13 AM

It's possible the app is out-of-date with Cortex Data Lake.  The app is supported by Palo Alto so you should contact them at https://splunk.paloaltonetworks.com/support.html

---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

Introducing a Smarter Way to Discover Apps on Splunkbase

We’re excited to announce the launch of a foundational enhancement to Splunkbase: App Tiering. Because we’ve ...

How to Send Splunk Observability Alerts to Webex teams in Minutes

As a Developer Evangelist at Splunk, my team and I are constantly tinkering with technology to explore its ...

.conf25 Registration is OPEN!

Ready. Set. Splunk! Your favorite Splunk user event is back and better than ever. Get ready for more technical ...