Palo Alto (a.k.a. panos or panw) Filebeat Compatibility with Palo Alto Version 10.1?

jamiejackson · July 26, 2021, 7:38pm

Hi, I was tasked with ingesting logs from Palo Alto 10.1. In my testbed, everything worked great when using the sample logs (beats/x-pack/filebeat/module/panw/panos/test at 877d8bcd176b2f5d4efd2a81846a481b94798b49 · elastic/beats · GitHub ).

However, I got a sample of the real logs at the last minute (basically at my deadline) and they were formatted quite differently from the samples I had been testing with.

Here's one example:

14:24:02,460A62FA77435B9,SYSTEM,general,2561,2021/07/20 14:24:02,,general,,0,0,general,medium," Failed password for root from 156.70.80.30 port 43592 ssh2",6989994259567175558,0x0,0,0,0,0,,PA-VM,0,0,2021-07-20T14:24:02.231-07:00

I'm trying to figure out whether the v.10.1 logging is compatible with the filebeat module. (I'm assuming it is.)

Here are some second hand screenshots from Palo Alto (I have no access, myself):

jamiejackson · July 26, 2021, 7:52pm

I might just be seeing regular system logs coming from the Palo Alto VM. (I'm getting the logs from a sidecar syslog server.)

I might not be seeing any actual logs from the PA service, in which case this thread could be moot. I'll update it if/when I find out more.

legoguy1000 · July 27, 2021, 1:28am

So I can't say 100% that all the new fields in 10.x have been added but last I checked 10.x didn't mess with any of the previous logs in the message and so it should parse the logs without issue.

system · August 24, 2021, 3:28am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.