01-16-2023 07:52 AM - last edited on 04-18-2024 12:33 PM by emgarcia
Hi,
I am currently in the process of setting up IoT Security, Does not Require Data Lake service but I am running into issues. I have managed to setup the portal and that is reachable. The problem seems to be sending the logs from the A/P units to the IoT service. As stated, we purchased the IoT without the use of Data Lake, therefore, what will be the process to send logs to the IoT service or put it simply, what must I specify within the log forwarding configuration? As the options are Panorama (not using), SNMP, Email, Syslog or HTTP?
The IoT administration guide states the following "Enhanced application logging requires a Cortex Data Lake subscription...". My second question would be, how can I enable this if I do not have a CDL subscription?
I've look into the IoT Security Administration guide but it unfortunately doesn't mention much this sort of configuration.
Any help would be appreciated.
04-05-2023 06:53 AM
Hi Nikoolayy1,
Apologies for the late response. Yes, the issue has been resolved.
The issue was due to a backend problem from Palo Alto, specifically logging service. When a IoT without data lake is purchased one should also receive "Cortex Data Lake " license for logging service purposes . (This should be visible with the support portal and the FW once you attempt to retrieve the license).
In my case, I never received this Cortex Data Lake license, and therefore did not have a means to send the logs to the IoT application.
Resolution:
Opened a case with TAC and they provided the missing Cortex Data Lake license.
01-23-2023 01:35 PM - edited 01-23-2023 01:36 PM
I am also new to this but as the logs still go to a cloud then you will need some integration with the IoT cloud (Cortex is still used but just to analyze the logs and they are not saved on the Cortex Data Lake) and to streem the logs to your siem, example splunk streaming:
IoT Security is cloud-hosted so logs are retrieved by Splunk using the IoT Security logging API. Logs are pulled down in JSON format with sourcetype="pan:iot_alert", sourcetype="pan:iot_device" and eventtype="pan_iot_device", eventtype="pan_iot_alert".
03-23-2023 11:27 PM
Hello,
Did you manage to find the resolution of this issue?
04-05-2023 06:53 AM
Hi Nikoolayy1,
Apologies for the late response. Yes, the issue has been resolved.
The issue was due to a backend problem from Palo Alto, specifically logging service. When a IoT without data lake is purchased one should also receive "Cortex Data Lake " license for logging service purposes . (This should be visible with the support portal and the FW once you attempt to retrieve the license).
In my case, I never received this Cortex Data Lake license, and therefore did not have a means to send the logs to the IoT application.
Resolution:
Opened a case with TAC and they provided the missing Cortex Data Lake license.
04-23-2024 09:04 AM
So did you have to configure Cortex Data Lake as well?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
