Palo Alto Networks Input

Palo Alto Networks input allows Graylog to receive SYSTEM,THREAT, and TRAFFIC logs directly from a Palo Alto device and the Palo Alto Panorama system. A standard Syslog output is used on the device side. Logs are sent with a typical syslog header followed by a comma-separated list of fields. The fields order may change between versions of PAN OS.

Example SYSTEM message:

Copy
<14>1 2018-09-19T11:50:35-05:00 Panorama-1 - - - - 1,2018/09/19 11:50:35,000710000506,SYSTEM,general,0,2018/09/19 11:50:35,,general,,0,0,general,informational,"Deviating device: Prod--2, Serial: 007255000045717, Object: N/A, Metric: mp-cpu, Value: 34",1163103,0x0,0,0,0,0,,Panorama-1

To get started, add a new Palo Alto Networks Input (TCP) in the System > Inputs area in Graylog. Specify the Graylog node, bind address, port, and adjust the field mappings as needed.

Graylog has three different inputs:

  • Palo Alto Networks TCP (PAN-OS v8.x)

  • Palo Alto Networks TCP (PAN-OS v9+)

  • Palo Alto Networks TCP (PAN-OS v11+)

Warning PAN-OS 8.1*, 9.0, and 10.0 are EoL according to the Palo Alto Networks website. Critical fixes may be provided for 8.1. See the Palo Alto documentation for more information.

PAN-OS 8 Input

Hint: Before you configure the time zone on the Inputs form, note that the value is set to UTC+00:00 - UTC by default. However, you can set it to a specific offset from a dropdown menu found in the input configuration form. Since PAN device logs do not include timezone offset information, this field allows Graylog to correctly parse the timestamps from logs. If your PAN device is set to UTC, you do not need to change this value.

This input ships with a field configuration that is compatible with PAN OS 8.1. Other versions are supported by customizing the SYSTEM, THREAT, and TRAFFIC mappings on the Add/Edit input page in Graylog.

The configuration for each message type is a CSV block that must include the position, field, and type headers.

For example:

Copy
1,receive_time,STRING
2,serial_number,STRING
3,type,STRING
4,content_threat_type,STRING
5,future_use1,STRING
...

Accepted values for each column:

Field Accepted Values
position A positive integer value.
field A contiguous string value to use for the field name. Must not include the reserved field names: _id, message, full_message, source, timestamp, level, streams.
type One of the following supported types: BOOLEAN, LONG, STRING.

When the Palo Alto input starts, the validity of each CSV configuration is checked. If the CSV is malformed or contains invalid properties, the input will fail to start. An error describing the specific issue is logged in the graylog-server log file and will be displayed at the top of the https://<grayloghost>/system/overview page for the affected node.

For example:

The default mappings built into the plugin are based on the following PAN-OS 8.1 specifications. If running PAN-OS 8.1, then there is no need to edit the mappings. However, if running a different version of PAN-OS, please reference the official Palo Alto Networks log fields documentation for that version, and customize the mappings on the Add/Edit Input page accordingly.

PAN-OS 9 Input

Warning: The Palo Alto 9 input does not support PAN-OS v11 logs. PAN-OS v11 data sent to the Palo Alto 9 input will not be properly received and will be lost! It is possible to use a syslog input to allow Graylog to receive PAN-OS v11 logs; however, this data will not be parsed.

PAN-OS 9 input auto-detects if the ingested data is from Version 9.0 or 9.1. Since the release of Graylog 3.3.6, the latter is supported automatically and will work out of the box.

The previous possible adjustments are no longer needed.

We have included links to a few recent versions here for reference.

Version 9.1

Also see Documentation for older PAN OS versions

PAN-OS 11 Input

The PAN-OS 11 input automatically detects whether the ingested data is from version 11.0 or later and processes the log data using either processing pipelines or Illuminate content. This input does not fully parse the entire message schema, instead, it extracts key fields such as event_source_product and vendor_subtype, which are added to the message.

We have included links to a few recent versions here for reference.

Version 11.0