This is my little modification to get the paloalto vsys field.
In the file /usr/share/filebeat/module/panw/panos/config/input.yml
i add 2 lines to make vsys visible in the index, as follow:
{{ if eq .input "syslog" }}
type: syslog
protocol.udp:
host: "{{.syslog_host}}:{{.syslog_port}}"
{{ else if eq .input "file" }}
type: log
paths:
{{ range $i, $path := .paths }}
- {{$path}}
{{ end }}
exclude_files: [".gz$"]
{{ end }}
tags: {{.tags | tojson}}
publisher_pipeline.disable_host: {{ inList .tags "forwarded" }}
fields_under_root: true
fields:
observer:
vendor: Palo Alto Networks
product: PAN-OS
type: firewall
processors:
- add_locale: ~
- decode_csv_fields:
fields:
message: csv
- extract_array:
field: csv
overwrite_keys: true
omit_empty: true
mappings:
event.created: 1
observer.serial_number: 2
panw.panos.type: 3
panw.panos.sub_type: 4
_temp_.generated_time: 6
- extract_array:
when:
equals:
panw.panos.type: TRAFFIC
field: csv
overwrite_keys: true
omit_empty: true
fail_on_error: false
mappings:
client.ip: 7
source.ip: 7
source.address: 7
server.ip: 8
destination.ip: 8
destination.address: 8
source.nat.ip: 9
client.nat.ip: 9
destination.nat.ip: 10
server.nat.ip: 10
panw.panos.ruleset: 11
client.user.name: 12
source.user.name: 12
server.user.name: 13
destination.user.name: 13
network.application: 14
panw.panos.virtual_sys: 15
panw.panos.source.zone: 16
observer.ingress.zone: 16
panw.panos.destination.zone: 17
observer.egress.zone: 17
panw.panos.source.interface: 18
observer.ingress.interface.name: 18
panw.panos.destination.interface: 19
observer.egress.interface.name: 19
panw.panos.flow_id: 22
client.port: 24
source.port: 24
destination.port: 25
server.port: 25
source.nat.port: 26
client.nat.port: 26
destination.nat.port: 27
server.nat.port: 27
_temp_.labels: 28
network.transport: 29
panw.panos.action: 30
network.bytes: 31
client.bytes: 32
source.bytes: 32
server.bytes: 33
destination.bytes: 33
network.packets: 34
event.start: 35
event.duration: 36
panw.panos.url.category: 37
panw.panos.sequence_number: 39
client.packets: 44
source.packets: 44
server.packets: 45
destination.packets: 45
panw.panos.endreason: 46
observer.hostname: 52
- extract_array:
when:
equals:
panw.panos.type: THREAT
field: csv
omit_empty: true
overwrite_keys: true
fail_on_error: false
mappings:
client.ip: 7
source.ip: 7
source.address: 7
server.ip: 8
destination.ip: 8
destination.address: 8
source.nat.ip: 9
client.nat.ip: 9
destination.nat.ip: 10
server.nat.ip: 10
panw.panos.ruleset: 11
client.user.name: 12
source.user.name: 12
server.user.name: 13
destination.user.name: 13
network.application: 14
panw.panos.virtual_sys: 15
panw.panos.source.zone: 16
observer.ingress.zone: 16
panw.panos.destination.zone: 17
observer.egress.zone: 17
panw.panos.source.interface: 18
observer.ingress.interface.name: 18
panw.panos.destination.interface: 19
observer.egress.interface.name: 19
panw.panos.flow_id: 22
client.port: 24
source.port: 24
destination.port: 25
server.port: 25
source.nat.port: 26
client.nat.port: 26
destination.nat.port: 27
server.nat.port: 27
_temp_.labels: 28
network.transport: 29
panw.panos.action: 30
panw.panos.threat.resource: 31
url.original: 31
panw.panos.threat.name: 32
panw.panos.url.category: 33
log.level: 34
_temp_.direction: 35
_temp_.srcloc: 38
_temp_.dstloc: 39
panw.panos.network.pcap_id: 42
panw.panos.file.hash: 43
user_agent.original: 46
file.type: 47
network.forwarded_ip: 48
http.request.referer: 49
source.user.email: 50
panw.panos.subject: 51
destination.user.email: 52
observer.hostname: 59
- drop_fields:
fields:
- csv
- community_id: ~
- community_id:
target: panw.panos.network.nat.community_id
fields:
source_ip: source.nat.ip
source_port: source.nat.port
destination_ip: destination.nat.ip
destination_port: destination.nat.port
# Copy NAT data from ECS fields to the original non-ECS fields to retain
# backward compatibility. This should be removed for 8.0.
- convert:
ignore_missing: true
fields:
- {from: source.nat.ip, to: panw.panos.source.nat.ip, type: ip}
- {from: destination.nat.ip, to: panw.panos.destination.nat.ip, type: ip}
- {from: source.nat.port, to: panw.panos.source.nat.port, type: long}
- {from: destination.nat.port, to: panw.panos.destination.nat.port, type: long}
- add_fields:
target: ''
fields:
ecs.version: 1.6.0
You can see in the TRAFIC and THREAT, I add line with number 15, I put the name panw.panos.virtual_system:15
Just save it, and restart the filebeat...
Then the virtual system shown in the index, and make it permanant into the index using Index Pattern refresh
Below the sample of the fields in JSON
},
"panw": {
"panos": {
"virtual_sys": "vsys3",
"sequence_number": 4587779761,
"sub_type": "start",
"flow_id": "33695379",
"ruleset": "Allow-Out-Bubbly",
"destination": {
"nat": {
"port": 0,
"ip": "0.0.0.0"
},
Perhaps it's can be add into the next release to bring thr virtual system information available in the Filebeat PaloAlto Module.
Regards,
Fadjar Tandabawana