'Nonsense' hex data after ingestion

[ryan1760]

Hello!
We are working on setting up log forwarding from Cortex Data Lake -> Splunk (Cloud) via a heavy forwarder.

Current state:

• HF & search head both have the TA installed; SH has the app installed
• HF has port 6514 configured as a TCP listener, PAN TA app context, pan:firewall source type, index=pan
• When we search for index=pan on the SH, we see 'nonsense' data - it's all \x__`
• We previously had the TCP listener set up w/no app context, and it was at least resulting in expected data; it just wasn't being parsed. We redid the listener with the app context, which resulted in this hex gibberish

What did we misconfigure? Thanks in advance!

[btorresgil]

There was previously an issue with syslog from Cortex Data Lake to Splunk. (Issue #162)

This has been resolved. We now support HTTPS (HEC) logging to Splunk from Cortex Data Lake. Here is the documentation on how to set this up:

• Cortex Data Lake to Splunk:
  https://splunk.paloaltonetworks.com/cortex-hec.html

• Cortex Data Lake Log forwarding over HTTPS (HEC):
  https://docs.paloaltonetworks.com/cortex/cortex-data-lake/cortex-data-lake-getting-started/get-started-with-log-forwarding-app/forward-logs-to-an-https-server