Hello Everyone - Hoping I have a simple solution.
Testing out Elastic Stack with Palo Alto syslogs, and running into issues with GeoIP's and combining the lon/lat to use Maps in Kibana. Not sure what else needs to be done in order to get this to work. It's been a few months and I've moved away from it, but now I'm trying to fix it again and it's driving me crazy.
input {
syslog {
host => "0.0.0.0"
port => 5144
tags => ["PANOS-SYSLOG"]
}
}
filter {
if "PANOS-SYSLOG" in [tags] {
if ([message] =~ /TRAFFIC/) {
csv {
separator => ","
columns => [ "FUTURE_USE", "Receive Time", "Serial Number", "Type", "Threat Content Type", "FUTURE_USE", "Generated Time", "SourceIP",
"DestinationIP", "NAT Source IP", "NAT Destination IP", "Rule Name", "Source User", "Destination User", "Application", "VSYS",
"Source Zone", "Destination Zone", "Inbound Interface", "Outbound Interface", "Log Action", "FUTURE_USE", "Session ID", "Repeat Count", "Source Port",
"Destination Port", "NAT Source Port", "NAT Destination Port", "Flags", "Protocol", "Action", "Bytes", "Bytes Sent", "Bytes Received", "Packets", "Start Time",
"Elapsed Time", "Category", "FUTURE_USE", "Sequence Number", "Action Flags", "Source Country", "Destination Country", "FUTURE_USE", "Packets Sent",
"Packets Received", "Session End Reason", "Device Group Hierarchy Level 1", "Device Group Hierarchy Level 2", "Device Group Hierarchy Level 3",
"Device Group Hierarchy Level 4", "VSYS Name", "Device Name", "Action Source", "Source VM UUID", "Destinatin VM UUID", "Tunnel ID IMSI", "Monitor Tag IMEI",
"Parent Session ID", "Parent Start Time", "Tunnel Type", "SCTP Association ID", "SCTP Chunks", "SCTP Chunks Sent", "SCTP Chunks Received", "Rule UUID", "HTTP2 Connection",
"App Flap Count", "Policy ID", "Link Switches", "SDWAN Cluster", "SDWAN Device Type", "SDWAN Cluster Type", "SDWAN Site", "Dynamic User Group Name", "XFF Address",
"Source Device Category", "Source Device Profile", "Source Device Model", "Source Device Vendor", "Source Device OS Family", "Source Device OS Version",
"Source Hostname", "Source Mac Address", "Destination Device Category", "Destination Device Profile", "Destination Device Model", "Destination Device Vendor",
"Destination Device OS Family", "Destination Device OS Version", "Destination Hostname", "Destination Mac Address", "Container ID", "POD Namespace",
"POD Name", "Source External Dynamic List", "Destination External Dynamic List", "Host ID", "Serial Number", "Source Dynamic Address Group",
"Destination Dynamic Address Group", "Session Owner", "Timestamp", "A Slice Service Type", "A Slice Differentiator", "Application Subcategory",
"Application Category", "Application Technology", "Application Risk", "Application Characteristic", "Application Container", "Tunneled Application",
"Application SaaS", "Application Sanctioned State", "Offloaded", "Flow Type", "Cluster Name" ]
}
mutate {
convert => [ "Bytes", "integer" ]
convert => [ "Bytes Received", "integer" ]
convert => [ "Bytes Sent", "integer" ]
convert => [ "Elapsed Time", "integer" ]
convert => [ "geoip.area_code", "integer" ]
convert => [ "geoip.dma_code", "integer" ]
convert => [ "geoip.latitude", "float" ]
convert => [ "geoip.longitude", "float" ]
convert => [ "NAT Destination Port", "integer" ]
convert => [ "NAT Source Port", "integer" ]
convert => [ "Packets", "integer" ]
convert => [ "Packets Received", "integer" ]
convert => [ "Packets Sent", "integer" ]
convert => [ "Sequence Number", "integer" ]
convert => [ "Application SaaS", "boolean" ]
convert => [ "Application Sanctioned State", "boolean" ]
add_tag => [ "PANOS-TRAFFIC" ]
}
}
if [SourceIP] and [SourceIP] !~ "(^127\.0\.0\.1)|(^10\.)|(^172\.1[6-9]\.)|(^172\.2[0-9]\.)|(^172\.3[0-1]\.)|(^192\.168\.)|(^169\.254\.)" {
geoip {
source => "SourceIP"
target => "SourceIPGeo"
}
if ([SourceIPGeo.location] and [SourceIPGeo.location] =~ "0,0") {
mutate {
replace => [ "SourceIPGeo.location", "" ]
}
}
}
if [DestinationIP] and [DestinationIP] !~ "(^127\.0\.0\.1)|(^10\.)|(^172\.1[6-9]\.)|(^172\.2[0-9]\.)|(^172\.3[0-1]\.)|(^192\.168\.)|(^169\.254\.)" {
geoip {
source => "DestinationIP"
target => "DestinationIPGeo"
}
if ([DestinationIPGeo.location] and [DestinationIPGeo.location] =~ "0,0") {
mutate {
replace => [ "DestinationIPGeo.location", "" ]
}
}
}
if [SourceIP] and [DestinationIP] {
fingerprint {
concatenate_sources => true
method => "SHA1"
key => "logstash"
source => [ "SourceIP", "Source Port", "DestinationIP", "Destination Port", "Protocol" ]
}
}
}
}
output {
if "PANOS-TRAFFIC" in [tags] {
elasticsearch {
hosts => ["https://ElasticIPAddress:9200"]
index => "firewall-traffic-%{+YYYY.MM.dd}"
user => "username-for-elastic"
password => "password-for-elastic"
ssl => true
cacert => "cert-path"
}
}
}