Palo Alto filter

asalma · May 22, 2018, 2:28pm

Please is this part of config file correcte :

else if [fields][log_type] == "paloalto" {
                csv {
                        "data" => "FUTURE_USE", "Receive Time", "Serial Number", "Type", "Subtype", "FUTURE_USE", "Generated Time", "src_ip", "dst_ip", "NAT Source IP", "NAT Destination IP", "Rule Name", "Source User", "Destination User", "Application", "Virtual System", "Source Zone", "Destination Zone", "src_interface", "dst_interface", "Log Forwarding Profile", "FUTURE_USE", "Session ID", "Repeat Count", "src_port", "dst_port", "NAT Source Port", "NAT Destination Port", "Flags", "protocol", "action", "Bytes", "Bytes Sent", "Bytes Received", "Packets", "Start Time", "Elapsed Time", "Category", "FUTURE_USE", "Sequence Number", "Action Flags", "Source Location", "Destination Location", "FUTURE_USE", "Packets Sent", "Packets Received", "Session End Reason", "Device Group Hierarchy Level 1", "Device Group Hierarchy Level 2", "Device Group Hierarchy Level 3", "Device Group Hierarchy Level 4", "Virtual System Name", "hostname", "Action Source"
                }
                mutate {
                        remove_field => [ "data" ]
                }
        }

magnusbaeck · May 24, 2018, 8:45pm

No, the line with "data" => ... is wrong. Perhaps you mean

csv {
  source => "data"
  columns = > ["FUTURE_USE", "Receive Time", ...]
  remove_field => "data"
}

?

system · June 21, 2018, 8:45pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Logstash Filter help - Newbie question Logstash	6	317	February 17, 2022
Csv filter : how to deal with missing field? Logstash	3	530	December 23, 2021
Palo Alto Networks - Logstash > Elastic > Kibana Logstash	8	860	July 4, 2023
Grok add field after CSV Filter Logstash	1	390	December 9, 2019
If in filter drops event Logstash	2	296	January 19, 2020

Palo Alto filter

Related topics