Hi,
I’m using Elastic Serverless and trying to ingest Palo Alto Next-Gen Firewall logs using the official Palo Alto integration.
The issue appears when using an Elastic Agent on Rocky Linux. The integration is configured correctly, and the logs are being sent and received on the expected port by the agent. Everything seems to be working fine, but no documents are being ingested into Elasticsearch. There are no errors shown in the agent or in Fleet.
I tested the same configuration on a Windows Elastic Agent, and in that case the logs are ingested correctly. However, in production I only have Linux machines, so Windows is not an option.
Additional details:
-
Elastic Agent version: 9.2.4
-
Palo Alto NGFW integration version: 5.4.1
-
Rocky Linux version: 9.5
-
Fleet-managed agent
-
Input type: UDP
-
SELinux status: disabled
Has anyone else experienced this issue?
Is there any known solution or workaround?
Thanks.