Palo Alto Ingest Pipeline: Audit Logs

6igwig · March 23, 2026, 8:21pm

The 2 Grok patterns supplied in the PANW ingest pipelines are not sufficient for parsing audit logs. I have created the grok pattern required to parse PANW audit logs and even submitted a merge request, but no one ever looked at it and it just auto closed.

Every time I update the PANW integration in elasticsearch the managed ingest pipeline is recreated and my grok pattern for the Audit logs is deleted and they start failing to parse. What is the best way to submit a change request for the PANW managed ingest pipeline?

Add Grok pattern for PANW Audit Logs by jameswiggins · Pull Request #16566 · elastic/integrations

leandrojmp · March 23, 2026, 9:49pm

What integration version are you using?

I suggest that you open an issue in the integrations repository and link your closed PR, so they may reopen it so you can work on it.

Your PR needs to pass all tests, basically you will need to add a sample message that matches your grok to the audit sample file and locally run the tests so the expected output file is generated and it validates that your changes will not break ingestion.

You can read more on how to test here.

A PR without this will not be accepted.

Topic		Replies	Views
Elastic agent with Ingest pipeline Elastic Agent	18	602	September 24, 2024
Ingest Github Audit logs with Logstash Elasticsearch	2	590	October 16, 2023
Grok for auditbeat log Beats auditbeat	2	423	April 16, 2020
Palo Alto Ingest Pipeline Elasticsearch	1	659	January 24, 2020
Grok pattern failing in ingest pipeline, but working in grok debugger Elasticsearch	1	504	March 13, 2018

Palo Alto Ingest Pipeline: Audit Logs

Related topics