The following content pack is available for use with a Graylog Illuminate license and Graylog Enterprise or Graylog Security. Contact sales to learn more about obtaining Illuminate.

Palo Alto is a next-generation firewall that provides real-time (line-rate, low-latency) content scanning to protect users against malicious attacks that include viruses, spyware, data leakage, and application vulnerabilities based on a stream-based threat prevention engine. This technology pack will process Palo Alto logs, providing normalization and enrichment of common events of interest.

Supported Version(s)

  • Version 9.1

Stream Configuration

This technology pack includes one stream:

  • “Illuminate:Palo Alto Messages”

Index Set Configuration

This technology pack includes one index set definition:

  • ”Palo Alto Log Messages”

If this index set is already defined, then nothing will be changed. If this index set does not exist, then it will be created with retention settings of a daily rotation and 90 days of retention. These settings can be adjusted as required after installation.

Requirements

  • Supported Palo Alto device sending logs to the Graylog input “Palo Alto Networks TCP (PAN-OS v9)”

What is Provided

  • Parsing rules to extract Palo Alto logs into Graylog schema compatible fields
  • Graylog Information Model message categorization
  • Illuminate Spotlight