Palo Alto filter

asalma · May 22, 2018, 2:28pm

Please is this part of config file correcte :

else if [fields][log_type] == "paloalto" {
                csv {
                        "data" => "FUTURE_USE", "Receive Time", "Serial Number", "Type", "Subtype", "FUTURE_USE", "Generated Time", "src_ip", "dst_ip", "NAT Source IP", "NAT Destination IP", "Rule Name", "Source User", "Destination User", "Application", "Virtual System", "Source Zone", "Destination Zone", "src_interface", "dst_interface", "Log Forwarding Profile", "FUTURE_USE", "Session ID", "Repeat Count", "src_port", "dst_port", "NAT Source Port", "NAT Destination Port", "Flags", "protocol", "action", "Bytes", "Bytes Sent", "Bytes Received", "Packets", "Start Time", "Elapsed Time", "Category", "FUTURE_USE", "Sequence Number", "Action Flags", "Source Location", "Destination Location", "FUTURE_USE", "Packets Sent", "Packets Received", "Session End Reason", "Device Group Hierarchy Level 1", "Device Group Hierarchy Level 2", "Device Group Hierarchy Level 3", "Device Group Hierarchy Level 4", "Virtual System Name", "hostname", "Action Source"
                }
                mutate {
                        remove_field => [ "data" ]
                }
        }

magnusbaeck · May 24, 2018, 8:45pm

No, the line with "data" => ... is wrong. Perhaps you mean

csv {
  source => "data"
  columns = > ["FUTURE_USE", "Receive Time", ...]
  remove_field => "data"
}

?

system · June 21, 2018, 8:45pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.