Filebeat PaloAlto Modules for virtual system field

This is my little modification to get the paloalto vsys field.
In the file /usr/share/filebeat/module/panw/panos/config/input.yml
i add 2 lines to make vsys visible in the index, as follow:

{{ if eq .input "syslog" }}

type: syslog
protocol.udp:
  host: "{{.syslog_host}}:{{.syslog_port}}"

{{ else if eq .input "file" }}

type: log
paths:
{{ range $i, $path := .paths }}
  - {{$path}}
{{ end }}
exclude_files: [".gz$"]

{{ end }}

tags: {{.tags | tojson}}
publisher_pipeline.disable_host: {{ inList .tags "forwarded" }}

fields_under_root: true
fields:
  observer:
    vendor: Palo Alto Networks
    product: PAN-OS
    type: firewall

processors:
  - add_locale: ~

  - decode_csv_fields:
      fields:
        message: csv

  - extract_array:
      field: csv
      overwrite_keys: true
      omit_empty: true
      mappings:
        event.created: 1
        observer.serial_number: 2
        panw.panos.type: 3
        panw.panos.sub_type: 4
        _temp_.generated_time: 6

  - extract_array:
      when:
        equals:
          panw.panos.type: TRAFFIC
      field: csv
      overwrite_keys: true
      omit_empty: true
      fail_on_error: false
      mappings:
        client.ip: 7
        source.ip: 7
        source.address: 7
        server.ip: 8
        destination.ip: 8
        destination.address: 8
        source.nat.ip: 9
        client.nat.ip: 9
        destination.nat.ip: 10
        server.nat.ip: 10
        panw.panos.ruleset: 11
        client.user.name: 12
        source.user.name: 12
        server.user.name: 13
        destination.user.name: 13
        network.application: 14
        panw.panos.virtual_sys: 15
        panw.panos.source.zone: 16
        observer.ingress.zone: 16
        panw.panos.destination.zone: 17
        observer.egress.zone: 17
        panw.panos.source.interface: 18
        observer.ingress.interface.name: 18
        panw.panos.destination.interface: 19
        observer.egress.interface.name: 19
        panw.panos.flow_id: 22
        client.port: 24
        source.port: 24
        destination.port: 25
        server.port: 25
        source.nat.port: 26
        client.nat.port: 26
        destination.nat.port: 27
        server.nat.port: 27
        _temp_.labels: 28
        network.transport: 29
        panw.panos.action: 30
        network.bytes: 31
        client.bytes: 32
        source.bytes: 32
        server.bytes: 33
        destination.bytes: 33
        network.packets: 34
        event.start: 35
        event.duration: 36
        panw.panos.url.category: 37
        panw.panos.sequence_number: 39
        client.packets: 44
        source.packets: 44
        server.packets: 45
        destination.packets: 45
        panw.panos.endreason: 46
        observer.hostname: 52

  - extract_array:
      when:
       equals:
          panw.panos.type: THREAT
      field: csv
      omit_empty: true
      overwrite_keys: true
      fail_on_error: false
      mappings:
        client.ip: 7
        source.ip: 7
        source.address: 7
        server.ip: 8
        destination.ip: 8
        destination.address: 8
        source.nat.ip: 9
        client.nat.ip: 9
        destination.nat.ip: 10
        server.nat.ip: 10
        panw.panos.ruleset: 11
        client.user.name: 12
        source.user.name: 12
        server.user.name: 13
        destination.user.name: 13
        network.application: 14
        panw.panos.virtual_sys: 15
        panw.panos.source.zone: 16
        observer.ingress.zone: 16
        panw.panos.destination.zone: 17
        observer.egress.zone: 17
        panw.panos.source.interface: 18
        observer.ingress.interface.name: 18
        panw.panos.destination.interface: 19
        observer.egress.interface.name: 19
        panw.panos.flow_id: 22
        client.port: 24
        source.port: 24
        destination.port: 25
        server.port: 25
        source.nat.port: 26
        client.nat.port: 26
        destination.nat.port: 27
        server.nat.port: 27
        _temp_.labels: 28
        network.transport: 29
        panw.panos.action: 30
        panw.panos.threat.resource: 31
        url.original: 31
        panw.panos.threat.name: 32
        panw.panos.url.category: 33
        log.level: 34
        _temp_.direction: 35
        _temp_.srcloc: 38
        _temp_.dstloc: 39
        panw.panos.network.pcap_id: 42
        panw.panos.file.hash: 43
        user_agent.original: 46
        file.type: 47
        network.forwarded_ip: 48
        http.request.referer: 49
        source.user.email: 50
        panw.panos.subject: 51
        destination.user.email: 52
        observer.hostname: 59

  - drop_fields:
      fields:
        - csv

  - community_id: ~

  - community_id:
      target: panw.panos.network.nat.community_id
      fields:
        source_ip: source.nat.ip
        source_port: source.nat.port
        destination_ip: destination.nat.ip
        destination_port: destination.nat.port

  # Copy NAT data from ECS fields to the original non-ECS fields to retain
  # backward compatibility. This should be removed for 8.0.
  - convert:
      ignore_missing: true
      fields:
        - {from: source.nat.ip, to: panw.panos.source.nat.ip, type: ip}
        - {from: destination.nat.ip, to: panw.panos.destination.nat.ip, type: ip}
        - {from: source.nat.port, to: panw.panos.source.nat.port, type: long}
        - {from: destination.nat.port, to: panw.panos.destination.nat.port, type: long}
  - add_fields:
      target: ''
      fields:
        ecs.version: 1.6.0

You can see in the TRAFIC and THREAT, I add line with number 15, I put the name panw.panos.virtual_system:15

Just save it, and restart the filebeat...
Then the virtual system shown in the index, and make it permanant into the index using Index Pattern refresh

Below the sample of the fields in JSON


    },
    "panw": {
      "panos": {
        "virtual_sys": "vsys3",
        "sequence_number": 4587779761,
        "sub_type": "start",
        "flow_id": "33695379",
        "ruleset": "Allow-Out-Bubbly",
        "destination": {
          "nat": {
            "port": 0,
            "ip": "0.0.0.0"
          },

Perhaps it's can be add into the next release to bring thr virtual system information available in the Filebeat PaloAlto Module.

Regards,
Fadjar Tandabawana

Hi @fadjar340, do you have a GitHub account? If so, could you post this as an enhancement issue — or even better, as a pull request — in https://github.com/elastic/beats?

Thanks,

Shaunak

Yes, I have it...
Please add my account: fadjar340 at github

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.