How can i confirm whether log ingestion frm respective cloud accnts is successfully happening or not

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

How can i confirm whether log ingestion frm respective cloud accnts is successfully happening or not

L0 Member

Hello Guys,

 

Can somebody please answer my query.

 

From the cloud accounts section of Prisma Cloud UI, I can able to see all the status checks got passed for Config,Flow,Audit logs for one of the cloud accounts.

MPalagiri_1-1605783030320.png

 

However when I ran the simple query(Ex:- event where cloud.account="X.X.X.X") from investigate blade for audit/flow logs, there were no logs as shown below.

 
 
 
 
 
 
 
 
 
 
 

Capture.JPG

 

I was under assumption that, if cloud account status checks is pass and if it's in green color then log ingestion was successfully happening. Please correct me if my understanding is wrong here. If my assumption is wrong, how can we rely on knowing the log ingestion is happening or not? Is it by manually running the queries??

 

Please help me to understand this functionality if cloud account status.

 

 

2 REPLIES 2

L3 Networker

Hi @MPalagiri ,

 

the result what you get is expected because you didn't finished the query, i get the same result because there no real output expected here. Event queries are used to search and audit all the console and API access events in the cloud environment. Try event where commands like below.

 

event where cloud.type = 'azure'

 

I hope that helped you?

 

Regards,

Torsten

 

 

"With unity we can do great things"

Hello Torsten,

 

Thanks for your kind response.

 

The query was completed and here the objective is, I want to validate whether audit logs are ingesting from specific cloud account that we onboarded or not?

Anyhow I ran the query that you suggested but no luck.

 

MPalagiri_0-1605787643217.png

 

If we run only this as you suggested, event where cloud.type = 'azure. This scouts for the events across all the cloud accounts which we have onboarded but we need from specific account as i highlited above.

 

 

 

Thank you.

Mahesh.

  • 3198 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!