Hi, I was tasked with ingesting logs from Palo Alto 10.1. In my testbed, everything worked great when using the sample logs (beats/x-pack/filebeat/module/panw/panos/test at 877d8bcd176b2f5d4efd2a81846a481b94798b49 · elastic/beats · GitHub ).
However, I got a sample of the real logs at the last minute (basically at my deadline) and they were formatted quite differently from the samples I had been testing with.
Here's one example:
14:24:02,460A62FA77435B9,SYSTEM,general,2561,2021/07/20 14:24:02,,general,,0,0,general,medium," Failed password for root from 156.70.80.30 port 43592 ssh2",6989994259567175558,0x0,0,0,0,0,,PA-VM,0,0,2021-07-20T14:24:02.231-07:00
I'm trying to figure out whether the v.10.1 logging is compatible with the filebeat module. (I'm assuming it is.)
Here are some second hand screenshots from Palo Alto (I have no access, myself):