Palo Alto Leef type logs (panw)

tahseen_fatima · May 8, 2020, 6:12am

Hi,

I am getting logs of palo alto in leef format on a udp port.
I tried to parsed the data with default module in filebeat panw and also tried with cef module, but couldn't able to parse it.
Is there any other way from which i can parse the data. I want to integrate it with SIEM UI.

Here is my sample log.

<14>May  4 14:48:01 BDNKOLPFW02 LEEF:1.0|Palo Alto Networks|PAN-OS Syslog Integration|9.0.2|allow|cat=TRAFFIC|ReceiveTime=2020/05/04 14:48:00|SerialNumber=016201009905|Type=TRAFFIC|Subtype=start|devTime=$cef-formattedreceive_time|src=10.11.254.207|dst=10.11.228.158|srcPostNAT=0.0.0.0|dstPostNAT=0.0.0.0|RuleName=VPN-for-BCP01|usrName=|SUser=|DUser=|App=vnc-encrypted|VirtSyst=vsys1|SourceZone=BDN-BCP-VPN-Zone|DestinationZone=trust|IngressInterface=tunnel.30|EgressInterface=ethernet1/7|LogForwardingProfile=BDNDRLogForward|SessionID=963097|RepeatCount=1|srcPort=53264|dstPort=5900|srcPostNATPort=0|dstPostNATPort=0|Flags=0x4000|proto=tcp|totalBytes=223622528|dstBytes=209381240|srcBytes=14241288|totalPackets=525043|StartTime=2020/05/04 13:41:32|ElapsedTime=3987|URLCat=any|sequence=1031511185|ActFlags=0x0|SourceLocation=10.0.0.0-10.255.255.255|DestinationLocation=10.0.0.0-10.255.255.255|dstPkt=286427|srcPkt=238616|SessionEndReason=n/a|vSrcName=|DevName=BDNKOLPFW02|ActSource=from-policy|TunnelID=0|TunnelType=N/A|MonitorTag=
<14>May  4 14:48:00 BDNKOLPFW02 LEEF:1.0|Palo Alto Networks|PAN-OS Syslog Integration|9.0.2|allow|cat=TRAFFIC|ReceiveTime=2020/05/04 14:47:59|SerialNumber=016201009905|Type=TRAFFIC|Subtype=start|devTime=$cef-formattedreceive_time|src=112.79.165.66|dst=115.240.0.69|srcPostNAT=112.79.165.66|dstPostNAT=10.11.225.71|RuleName=BERP-Hosting|usrName=|SUser=|DUser=|App=ssl|VirtSyst=vsys1|SourceZone=untrust|DestinationZone=DMZ-WAF|IngressInterface=ethernet1/1|EgressInterface=ethernet1/5|LogForwardingProfile=BDNDRLogForward|SessionID=372254|RepeatCount=1|srcPort=65497|dstPort=443|srcPostNATPort=65497|dstPostNATPort=443|Flags=0x404000|proto=tcp|totalBytes=773|dstBytes=66|srcBytes=707|totalPackets=4|StartTime=2020/05/04 14:47:59|ElapsedTime=0|URLCat=any|sequence=1031511044|ActFlags=0x0|SourceLocation=India|DestinationLocation=India|dstPkt=1|srcPkt=3|SessionEndReason=n/a|vSrcName=|DevName=BDNKOLPFW02|ActSource=from-policy|TunnelID=0|TunnelType=N/A|MonitorTag=

Kindly help,
Tahseen

ChrsMark · May 8, 2020, 8:07am

Hi I see that the log patterns the module supports are not looking like yours. See a sample here for panw module.

Same for cef module here.

Wondering if your log patterns can be tuned by the service you collect from and remove the timestamp from the begging for instance. Maybe in this you can make the cef module parse these logs.

If the modules cannot cover your case then you will need to forward these logs with Filebeat to a Logatsh server and parse them with custom patterns (grok) specific for your case.

Regards.

tahseen_fatima · May 8, 2020, 10:43am

Thank you,

By removing timestamp I tried but its not working.
It means I have to do it manually with logstash.

Thanks,
Tahseen.

system · June 5, 2020, 10:43am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.