Palo Alto Networks Input
Palo Alto Networks input allows Graylog to receive SYSTEM
,
and THREAT
,TRAFFIC
logs directly from a Palo Alto device and the Palo Alto Panorama system. A standard Syslog output is used on the device side. Logs are sent with a typical syslog header followed by a comma-separated list of fields. The fields order may change between versions of PAN OS.
Example SYSTEM
message:
<14>1 2018-09-19T11:50:35-05:00 Panorama-1 - - - - 1,2018/09/19 11:50:35,000710000506,SYSTEM,general,0,2018/09/19 11:50:35,,general,,0,0,general,informational,"Deviating device: Prod--2, Serial: 007255000045717, Object: N/A, Metric: mp-cpu, Value: 34",1163103,0x0,0,0,0,0,,Panorama-1
To get started, add a new Palo Alto Networks Input (TCP) in the System
> Inputs
area in Graylog. Specify the Graylog node, bind address, port, and adjust the field mappings as needed.
Graylog has three different inputs:
-
Palo Alto Networks TCP (PAN-OS v8.x)
-
Palo Alto Networks TCP (PAN-OS v9+)
-
Palo Alto Networks TCP (PAN-OS v11+)
PAN-OS 8 Input
UTC+00:00 - UTC
by default. However, you can set it to a specific offset from a dropdown menu found in the input configuration form. Since PAN device logs do not include timezone offset information, this field allows Graylog to correctly parse the timestamps from logs. If your PAN device is set to UTC, you do not need to change this value.
This input ships with a field configuration that is compatible with PAN OS 8.1. Other versions are supported by customizing the SYSTEM
, THREAT
, and TRAFFIC
mappings on the Add/Edit input page in Graylog.
The configuration for each message type is a CSV block that must include the position
, field
, and type
headers.
For example:
1,receive_time,STRING
2,serial_number,STRING
3,type,STRING
4,content_threat_type,STRING
5,future_use1,STRING
...
Accepted values for each column:
Field | Accepted Values |
---|---|
position
|
A positive integer value. |
field
|
A contiguous string value to use for the field name. Must not include the reserved field names: _ , message , full_message , source , timestamp , level ,
|
type
|
One of the following supported types: BOOLEAN , LONG ,
|
When the Palo Alto input starts, the validity of each CSV configuration is checked. If the CSV is malformed or contains invalid properties, the input will fail to start. An error describing the specific issue is logged in the graylog-server
log file and will be displayed at the top of the https://<grayloghost>/system/overview
page for the affected node.
For example:
The default mappings built into the plugin are based on the following PAN-OS 8.1 specifications. If running PAN-OS 8.1, then there is no need to edit the mappings. However, if running a different version of PAN-OS, please reference the official Palo Alto Networks log fields documentation for that version, and customize the mappings on the Add/Edit Input page accordingly.
PAN-OS 9 Input
PAN-OS 9 input auto-detects if the ingested data is from Version 9.0 or 9.1. Since the release of Graylog 3.3.6, the latter is supported automatically and will work out of the box.
The previous possible adjustments are no longer needed.
We have included links to a few recent versions here for reference.
Version 9.1
- 9.1 - Traffic Log Fields
- 9.1 - Threat Log Fields
- 9.1 - HIP Match Log Fields
- 9.1 - GlobalProtect Log Fields
- 9.1 - Config Log Fields
- 9.1 - System Log Fields
- 9.1 - Correlated Events Log Fields
Also see Documentation for older PAN OS versions
PAN-OS 11 Input
The PAN-OS 11 input automatically detects whether the ingested data is from version 11.0 or later and processes the log data using either processing pipelines or Illuminate content. This input does not fully parse the entire message schema, instead, it extracts key fields such as event_source_product
and vendor_subtype
, which are added to the message.
We have included links to a few recent versions here for reference.
Version 11.0