How can I collect Palo Alto firewall metrics (CPU, RAM, Disk usage)

shortone · October 7, 2022, 3:30pm

Hello!

I've recently setup the elastic agent on an intermediate host, I have syslog forwarding from our palo alto firewall to this host which is then shipping to elasticsearch and the palo alto integration seems to be working well. I also would like to build a dashboard to show the firewalls performance metrics like CPU, RAM, Disk utilization but i'm not sure how to do that. Is this something i'll have to setup like SNMP input plugin for logstash and configure that way or is there a better way of collecting metrics and getting them into elasticsearch ?

shortone · October 12, 2022, 6:52pm

I went ahead and setup an SNMP logstash config to poll the data I need. It seems to work well.

This is what I ended up with if it helps anyone else.

 input {
 snmp {
    hosts => [{host => "udp:IP1/161" version => "3"},{host => "udp:IP2/161" version => "3"}]
    get => ["1.3.6.1.2.1.25.3.3.1.2.1", "1.3.6.1.2.1.25.3.3.1.2.2", "1.3.6.1.2.1.25.1.1.0", "1.3.6.1.4.1.25461.2.1.2.3.6.0", "1.3.6.1.4.1.25461.2.1.2.3.5.0", "1.3.6.1.4.1.25461.2.1.2.3.4.0", "1.3.6.1.4.1.25461.2.1.2.3.3.0", "1.3.6.1.4.1.25461.2.1.2.3.2.0", "1.3.6.1.4.1.25461.2.1.2.3.1.0","1.3.6.1.4.1.25461.2.1.2.5.1.1.0","1.3.6.1.4.1.25461.2.1.2.5.1.2.0","1.3.6.1.4.1.25461.2.1.2.5.1.3.0","1.3.6.1.2.1.25.2.3.1.5.20","1.3.6.1.2.1.25.2.3.1.6.20","1.3.6.1.2.1.25.2.3.1.5.30","1.3.6.1.2.1.25.2.3.1.6.30","1.3.6.1.2.1.25.2.3.1.5.40", "1.3.6.1.2.1.25.2.3.1.6.40", "1.3.6.1.2.1.25.2.3.1.5.41", "1.3.6.1.2.1.25.2.3.1.6.41", "1.3.6.1.2.1.25.2.3.1.5.42", "1.3.6.1.2.1.25.2.3.1.6.42","1.3.6.1.2.1.1.5.0"]
    security_name => "logstash_service_account"
    auth_protocol => "hmac192sha256"
    auth_pass => "SNMPPASS"
    priv_protocol => "aes256"
    priv_pass => "SNMPPASS"
    security_level => "authPriv"
    interval => 60
    tags => "palo-snmp"
  }
}
filter {
  if "palo-snmp" in [tags]{
    mutate {
      rename => {"[iso.org.dod.internet.mgmt.mib-2.host.hrDevice.hrProcessorTable.hrProcessorEntry.hrProcessorLoad.1]" => "mgmt-cpu"}
      rename => {"[iso.org.dod.internet.mgmt.mib-2.host.hrDevice.hrProcessorTable.hrProcessorEntry.hrProcessorLoad.2]" => "dataplane-cpu"}
      rename => {"[iso.org.dod.internet.mgmt.mib-2.host.hrSystem.hrSystemUptime.0]" => "system-uptime"}
      rename => {"[iso.org.dod.internet.private.enterprises.25461.2.1.2.3.6.0]" => "active-icmp-sessions"}
      rename => {"[iso.org.dod.internet.private.enterprises.25461.2.1.2.3.5.0]" => "active-udp-sessions"}
      rename => {"[iso.org.dod.internet.private.enterprises.25461.2.1.2.3.4.0]" => "active-tcp-sessions"}
      rename => {"[iso.org.dod.internet.private.enterprises.25461.2.1.2.3.3.0]" => "total-active-sessions"}
      rename => {"[iso.org.dod.internet.private.enterprises.25461.2.1.2.3.2.0]" => "max-sessions-for-device"}
      rename => {"[iso.org.dod.internet.private.enterprises.25461.2.1.2.3.1.0]" => "percent-session-utilization"}
      rename => {"[iso.org.dod.internet.private.enterprises.25461.2.1.2.5.1.1.0]" => "gp-gw-utilization-percent"}
      rename => {"[iso.org.dod.internet.private.enterprises.25461.2.1.2.5.1.2.0]" => "gp-gw-utilization-max-tunnels"}
      rename => {"[iso.org.dod.internet.private.enterprises.25461.2.1.2.5.1.3.0]" => "gp-gw-utilization-active-tunnels"}
      rename => {"[iso.org.dod.internet.mgmt.mib-2.host.hrStorage.hrStorageTable.hrStorageEntry.hrStorageSize.20]" => "mgmt-memory-total"}
      rename => {"[iso.org.dod.internet.mgmt.mib-2.host.hrStorage.hrStorageTable.hrStorageEntry.hrStorageUsed.20]" => "mgmt-memory-used"}
      rename => {"[iso.org.dod.internet.mgmt.mib-2.host.hrStorage.hrStorageTable.hrStorageEntry.hrStorageSize.30]" => "swap-partition-total"}
      rename => {"[iso.org.dod.internet.mgmt.mib-2.host.hrStorage.hrStorageTable.hrStorageEntry.hrStorageUsed.30]" => "swap-partition-used"}
      rename => {"[iso.org.dod.internet.mgmt.mib-2.host.hrStorage.hrStorageTable.hrStorageEntry.hrStorageSize.40]" => "config-partition-total"}
      rename => {"[iso.org.dod.internet.mgmt.mib-2.host.hrStorage.hrStorageTable.hrStorageEntry.hrStorageUsed.40]" => "config-partition-used"}
      rename => {"[iso.org.dod.internet.mgmt.mib-2.host.hrStorage.hrStorageTable.hrStorageEntry.hrStorageSize.41]" => "log-partition-total"}
      rename => {"[iso.org.dod.internet.mgmt.mib-2.host.hrStorage.hrStorageTable.hrStorageEntry.hrStorageUsed.41]" => "log-partition-used"}
      rename => {"[iso.org.dod.internet.mgmt.mib-2.host.hrStorage.hrStorageTable.hrStorageEntry.hrStorageSize.42]" => "root-partition-total"}
      rename => {"[iso.org.dod.internet.mgmt.mib-2.host.hrStorage.hrStorageTable.hrStorageEntry.hrStorageUsed.42]" => "root-partition-used"}
      rename => {"[iso.org.dod.internet.mgmt.mib-2.system.sysName.0]" => "system-name"}
    }
  }
}
output{
  if "palo-snmp" in [tags]{
    elasticsearch {
      hosts => ["https://elastic01:9200","https://elastic02:9200"]
      api_key => "APIID:APIKEY"
      cacert => '/etc/logstash/certs/ca-cert.crt'
      ssl => true
      index => "metrics-logstash-palo-%{+YYYY.MM.dd}"
      data_stream => auto
      action => "create"
    }
  }
}

system · November 9, 2022, 6:53pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Palo Alto Networks - Logstash > Elastic > Kibana Logstash	8	822	July 4, 2023
Elastic Agent -> Oracle Metrics / Oracle Logs via Filebeat to Logstash to Elasticsearch Beats elastic-agent	1	423	February 9, 2022
Integrating Panorama (Palo Alto tool) logs to ElasticSearch Elastic Search elastic-site-search	1	318	March 15, 2024
Integration with cisco ISE, PaloAlto and Fortigate Firewall Elastic Security	16	741	January 25, 2024
Getting APM metrics using the/an API APM python , ruby	11	1452	January 12, 2022

How can I collect Palo Alto firewall metrics (CPU, RAM, Disk usage)

Related topics