Palo Alto 9.x Content Pack

The following content pack is available for use with a Graylog Illuminate license and Graylog Enterprise or Graylog Security. Contact sales to learn more about obtaining Illuminate.

Warning: This content pack has been deprecated and is scheduled for removal in Illuminate 8.0.0. All supported content has been migrated to the Palo Alto 11 content pack.

Palo Alto Networks next-generation firewalls provide real-time threat prevention, application visibility, and user-based policy enforcement. This technology pack processes Palo Alto PAN-OS 9.1+ logs, providing normalization and enrichment of common events of interest.

Supported Versions

  • PAN-OS 9.1+

  • PAN-OS 10.x

Requirements

  • A Palo Alto device sending logs to the Graylog input Palo Alto Networks TCP (PAN-OS v9+).

Stream Configuration

This technology pack includes 1 stream:

  • "Illuminate:Palo Alto Messages"

Hint: If this stream does not exist prior to the activation of this pack then it is created and configured to route messages to this stream and the associated index set. There should not be any stream rules configured for this stream.

Index Set Configuration

This technology pack includes 1 index set definition:

  • "Palo Alto Log Messages"

Hint: If this index set is already defined, then nothing is changed. If this index set does not exist, then it is created with retention settings of a daily rotation and 90 days of retention. These settings can be adjusted as required after installation.

Log Collection

Palo Alto devices forward logs to Graylog via syslog using the dedicated PAN-OS v9+ input.

Configure the Graylog Input

  1. In Graylog, navigate to System > Inputs and launch a Palo Alto Networks TCP (PAN-OS v9+) input.

  2. Note the port number and save the input.

Configure the Palo Alto Device

  1. On your Palo Alto firewall, navigate to Device > Server Profiles > Syslog and create a new syslog server profile.

  2. Set the server IP address to your Graylog server IP and the port to match the Graylog input port.

  3. Set the transport to TCP and the format to BSD.

  4. Navigate to Device > Log Settings and assign the syslog server profile to the log types you wish to forward (Threat, Traffic, GlobalProtect).

  5. Commit the configuration.

Hint: Refer to the Palo Alto syslog monitoring guide for detailed device configuration steps.

Log Format Examples

PAN-OS syslog messages are delivered in BSD syslog format with a CSV-encoded payload, parsed by the Graylog PAN-OS v9+ input.

GlobalProtect Log

<14>1 2021-03-08T14:10:27.137432Z PYTHON_TEST_SENDER - - - - 1,2020/04/01 10:49:58,015351000040055,13,0x0,GLOBALPROTECT,0,2305,2020/04/01 10:49:58,vsys1,portal-auth,login,Local Database,,phillip.price,192.168.0.0-192.168.255.255,WIN-VAL4395SQ3L,192.168.45.33,0.0.0.0,0.0.0.0,0.0.0.0,2c2ec970-de09-444c-b84f-2c0be75e13cd,,Browser,Windows,"Microsoft Windows 7 Service Pack 1, 64-bit",1,,Invalid username or password,"",failure,,0,user-logon,1,gp-portal

Threat Log (Spyware / Vulnerability)

<14>1 2021-03-08T14:08:28.296051Z PYTHON_TEST_SENDER - - - - 1,2020/05/19 07:37:34,007200002536,THREAT,spyware,2305,2020/05/19 07:37:34,10.154.229.167,77.254.254.254,,,General Business Apps,pancademo\andy.miller,,unknown-udp,vsys1,L3-TAP,L3-TAP,ethernet1/2,ethernet1/2,,2020/05/19 07:37:34,140539,1,1024,1024,0,0,0x2000,udp,drop-all-packets,"ZeroAccess.Gen Command and Control Traffic(13235)",13235,critical,server-to-client,6684613427694591054,0x0,10.0.0.0-10.255.255.255,10.0.0.0-10.255.255.255,0,1589874840,0,0,0,,us1,,,, 0,,0,,N/A,spyware,

Threat Log (URL Filtering)

<14>1 2021-03-08T13:35:29.030447Z PYTHON_TEST_SENDER - - - - 1,2020/05/19 07:37:25,007200002536,THREAT,url,2305,2020/05/19 07:37:25,10.154.172.203,74.125.224.99,,,General Web Infrastructure,pancademo\shane.long,,google-analytics,vsys1,L3-TAP,L3-TAP,ethernet1/2,ethernet1/2,ToUS1RAMA,2020/05/19 07:37:25,50003,1,56776,80,0,0,0x0,tcp,block-url,"analytics.google.com/analytics/r/collect (9999)",9999,informational,client-to-server,6684613427694591000,0x0,10.0.0.0-10.255.255.255,United States,0,1589874840,0,0,0,,us1,,,,0,,0,,N/A,computer-and-internet-info low-risk,

Traffic Log

<14>1 2021-03-08T14:09:00.000000Z PYTHON_TEST_SENDER - - - - 1,2020/05/19 07:38:00,007200002536,TRAFFIC,end,2305,2020/05/19 07:38:00,10.154.229.167,77.254.254.254,10.154.229.167,77.254.254.254,General Business Apps,pancademo\andy.miller,,web-browsing,vsys1,L3-TAP,L3-TAP,ethernet1/2,ethernet1/2,ToUS1RAMA,2020/05/19 07:38:00,140540,1,1024,443,0,0,0x400000,tcp,allow,4096,2048,2048,10,2020/05/19 07:37:50,10,any,,6684613427694591055,0x0,10.0.0.0-10.255.255.255,United States,,5,0,n/a,0,0,0,0,,us1,from-policy,

What is Provided

  • Parsing and normalization rules for Palo Alto PAN-OS 9.1+ logs.

  • Graylog Information Model (GIM) event type categorization for Traffic, Threat, URL Filtering, and GlobalProtect events.

Events Processed by This Technology Pack

This content pack supports the following PAN-OS log types:

  • GlobalProtect - portal authentication events (portal-auth).

  • Threat - intrusion detection alerts including spyware and vulnerability subtypes.

  • Threat (URL Filtering) - URL filtering block and alert events.

  • Traffic - network session events.

GIM Categorization

GIM event type categorization is provided for the following message types:

Message Type gim_event_type_code gim_event_category gim_event_class gim_event_subcategory gim_event_type
GlobalProtect portal-auth (login stage) 100000 authentication authentication.logon logon
GlobalProtect portal-auth (login stage) 100500 authentication authentication.credential validation credential validation
Traffic logs 120000 network network.network connection network connection
Threat logs (spyware / vulnerability / url-filtering) 300000 detection detection.network_detection ids_detection

Field Normalization

Fields extracted and normalized for each PAN-OS 9.x log type. The Graylog PAN-OS v9+ input pre-parses the CSV payload; pipeline rules rename and enrich fields to Illuminate standard names.

GlobalProtect Log Fields

Illuminate Field Vendor Field
event_observer_uid Serial Number
event_observer_hostname Device Name
vendor_subtype Type (GLOBALPROTECT)
event_received_time Generated Time
host_virtfw_id Virtual System
vendor_event_name Event ID (pan_event_name)
vendor_tunnel_stage Stage (pan_tunnel_stage)
vendor_auth_method Authentication Method (pan_auth_method)
user_name Source User (source_user)
vendor_source_region Source Region (pan_source_region)
source_hostname Machine Name
source_ip Public IP / Private IP (vendor_public_ip / vendor_private_ip)
vendor_gp_hostid Host ID (pan_gp_hostid)
vendor_gp_client_version Client Version (pan_gp_client_version)
host_type Client OS
host_type_version Client OS Version
event_repeat_count Repeat Count
vendor_event_outcome_reason Error (pan_gp_error)
vendor_event_outcome Status (vendor_event_action)
event_outcome Status (derived from vendor_event_outcome)
vendor_gp_connect_method Connect Method (pan_gp_connect_method)
destination_hostname Portal (pan_gp_hostname)
application_name Application (set to "Global Protect")
gim_event_type_code GIM Code (set to ["100000" "100500"])

Threat Log Fields (Spyware / Vulnerability)

Illuminate Field Vendor Field
event_observer_uid Serial Number
event_observer_hostname Device Name
vendor_subtype Type (THREAT)
vendor_log_subtype Threat/Content Type (spyware / vulnerability)
event_received_time Generated Time
source_ip Source Address
destination_ip Destination Address
rule_name Rule Name
source_user_name Source User (source_user — domain stripped)
source_user_domain Source User Domain (extracted from domain\user)
destination_user_name Destination User (destination_user — domain stripped)
destination_user_domain Destination User Domain (extracted from domain\user)
application_name Application
host_virtfw_id Virtual System
source_zone Source Zone
destination_zone Destination Zone
network_interface_in Inbound Interface
network_interface_out Outbound Interface
session_id Session ID
event_repeat_count Repeat Count
source_port Source Port
destination_port Destination Port
network_transport IP Protocol (network_protocol)
vendor_event_action Action
event_action Action (normalized via lookup)
alert_signature Threat Name (alert_signature_id — name portion)
alert_signature_id Threat ID (alert_signature_id — numeric portion)
vendor_alert_severity Severity
alert_severity Severity (normalized via lookup)
alert_severity_level Severity Level (numeric)
vendor_alert_direction Direction
event_uid Sequence Number
source_location_name Source Location
destination_location_name Destination Location
vendor_threat_category Threat Category
gim_event_type_code GIM Code (set to ["300000"])

Threat Log Fields (URL Filtering)

Illuminate Field Vendor Field
event_observer_uid Serial Number
event_observer_hostname Device Name
vendor_subtype Type (THREAT)
vendor_log_subtype Threat/Content Type (url)
event_received_time Generated Time
source_ip Source Address
destination_ip Destination Address
rule_name Rule Name
source_user_name Source User (source_user — domain stripped)
source_user_domain Source User Domain (extracted from domain\user)
destination_user_name Destination User (destination_user — domain stripped)
destination_user_domain Destination User Domain (extracted from domain\user)
application_name Application
host_virtfw_id Virtual System
source_zone Source Zone
destination_zone Destination Zone
network_interface_in Inbound Interface
network_interface_out Outbound Interface
session_id Session ID
event_repeat_count Repeat Count
source_port Source Port
destination_port Destination Port
network_transport IP Protocol (network_protocol)
vendor_event_action Action
event_action Action (normalized via lookup)
alert_indicator URL/Filename
alert_signature Threat Name (alert_signature_id — name portion)
alert_signature_id Threat ID (alert_signature_id — numeric portion)
vendor_alert_severity Severity
alert_severity Severity (normalized via lookup)
alert_severity_level Severity Level (numeric)
vendor_alert_direction Direction
event_uid Sequence Number
source_location_name Source Location
destination_location_name Destination Location
http_uri_category Category (expanded to array)
gim_event_type_code GIM Code (set to ["300000"])

Traffic Log Fields

Illuminate Field Vendor Field
event_observer_uid Serial Number
event_observer_hostname Device Name
vendor_subtype Type (TRAFFIC)
vendor_log_subtype Traffic Type (start / end / drop)
event_received_time Generated Time
source_ip Source Address
destination_ip Destination Address
source_nat_ip NAT Source IP
destination_nat_ip NAT Destination IP
rule_name Rule Name
source_user_name Source User (source_user — domain stripped)
source_user_domain Source User Domain (extracted from domain\user)
destination_user_name Destination User (destination_user — domain stripped)
destination_user_domain Destination User Domain (extracted from domain\user)
application_name Application (network_application)
host_virtfw_id Virtual System
source_zone Source Zone
destination_zone Destination Zone
network_interface_in Inbound Interface
network_interface_out Outbound Interface
session_id Session ID
event_repeat_count Repeat Count
source_port Source Port
destination_port Destination Port
source_nat_port NAT Source Port
destination_nat_port NAT Destination Port
network_transport IP Protocol (network_protocol)
vendor_event_action Action
event_action Action (normalized via lookup)
network_bytes Total Bytes
source_bytes_sent Bytes Sent (network_bytes_tx)
destination_bytes_sent Bytes Received (network_bytes_rx)
network_packets Total Packets (source + destination packets)
source_packets_sent Packets Sent
destination_packets_sent Packets Received
event_start Start Time
event_duration Elapsed Time
http_uri_category Category
event_uid Sequence Number
source_location_name Source Country
destination_location_name Destination Country
vendor_session_end_reason Session End Reason
gim_event_type_code GIM Code (set to ["120000"])