Splunk Enterprise Security

Issues with pan: Why is firewall_cloud parser not parsing logs from Cortex Data Lake?

Dave2d
Engager

We are having issues with pan:firewall_cloud parser (which came with the Palo Alto Netowrks Add-on) not parsing logs from Cortex Data Lake. We are centralizing all of our SASE Prisma and Firewall logs into the Cortex Data Lake and then streaming them from there to Splunk Cloud via the HEC. When I configure that HEC to use the Source Type of pan:firewall_cloud, which was recommended in the setup docs,  we don't get field extraction. When I use a standard _json parser it extracts all fields as expected. Is anyone else having this issue? Is there a fix? I can't use any of the Palo dashboards and there is no CIM normalization happening without that official Add-on parser working. 

Labels (1)
Tags (2)
0 Karma

star_lord
Explorer

@Dave2d   Did you ever find a resolution for this issue?  Thanks!

0 Karma

Dave2d
Engager

Yes we did get the pan:firewall_cloud working. I am not sure why we were having issues at first, but we are good to go now. 

JRW
Splunk Employee
Splunk Employee

Can you please share how you fixed the issue?

Thx

0 Karma

star_lord
Explorer

We fixed this issue by changing the HEC endpoint that the data was being sent to from services/collector/raw to 
services/collector/event.

More information here:
https://docs.splunk.com/Documentation/Splunk/latest/Data/HECRESTendpoints

JRW
Splunk Employee
Splunk Employee

TYVM for the reply and info

0 Karma

richgalloway
SplunkTrust
SplunkTrust

It's possible the app is out-of-date with Cortex Data Lake.  The app is supported by Palo Alto so you should contact them at https://splunk.paloaltonetworks.com/support.html

---
If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...