Getting Data In

HTTP Event Collector Error: Failed to send a test notification to the event collector URL with the provided auth token. Please check integration details and try again.

hfernandez_
Path Finder

Hi All,

I'm currently trying to integrate Palo Alto's Primsa Cloud with our on-prem HEC on an on-prem HF (via documentation: https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin/configure-external-integrat...) and I get the following error when I try to test the connection:

Failed to send a test notification to the event collector URL with the provided auth token. Please check integration details and try again.

On the Splunk HF, I have configured the HEC with the following:
Global Settings:
All Tokens: Enabled
Default Source Type: _json
Default Index: Default
Default Output Group: None
Use Deployment Server: Checked
Enable SSL: Checked
HTTP Port Number: 8088

Created a token:
Name: prisma_hec
Source: prismacloud
Set Source Type: _json
Select Allowed Indexes: prisma

On the Prisma Cloud side (based on that link above):

Integration Type: Splunk
Integration Name: prisma_hec
Splunk HTTP event collector URL: https://hec_ip:8088/services/collector/event
Auth Token: token

When I test the connection, I get that error above.

Since we have the incoming IP addresses locked down to the Cloud Prisma server, we can't simply test. I'm going to submit a request to allow another local IP address for testing the connection. From the doc: https://docs.splunk.com/Documentation/Splunk/7.3.3/Data/UsetheHTTPEventCollector, I have the right configuration and URL. Has anyone see this before and can point me in the right direction for troubleshooting?

I appreciate any help.

Thanks,
Herman

Tags (1)
0 Karma
1 Solution

hfernandez_
Path Finder

Ok, coming back to share my solution. We changed our solution to use our Splunk Cloud HEC vs the on-prem HEC.

The Splunk Cloud HEC URL to use is:

curl -k https://http-inputs-<splunk_cloud_url>:443/services/collector/event -H "Authorization: Splunk <token>" -d '{"event": "hello world"}'

Everything went well and Prisma Events are being ingested into Splunk in json format. Hope this helps.

View solution in original post

0 Karma

hfernandez_
Path Finder

Ok, coming back to share my solution. We changed our solution to use our Splunk Cloud HEC vs the on-prem HEC.

The Splunk Cloud HEC URL to use is:

curl -k https://http-inputs-<splunk_cloud_url>:443/services/collector/event -H "Authorization: Splunk <token>" -d '{"event": "hello world"}'

Everything went well and Prisma Events are being ingested into Splunk in json format. Hope this helps.

View solution in original post

0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!