Palo alto sent to server via syslog

GEHsu · October 18, 2022, 9:40am

I tried paloalto (TRAFFIC/THREAT) 2 kinds of logs. Build to a different index.

Below is my Logstash config

input {
  syslog {
    port => "4560"
  }
}

filter {
  # Traffic Logs
  grok {
    match => { "message" => "%{DATA:future_use},%{DATA:ReceiveTime},%{DATA:Serial},(?<Type>TRAFFIC),%{DATA:ThreatType},%{DATA:future_use},%{DATA:GenerateTime},%{IP:SourceAddress},%{IP:DestinationAddress},%{DATA:NATSourceIP},%{DATA:NATDestinationIP},%{DATA:Rule},%{DATA:SourceUser},%{DATA:DestinationUser},%{DATA:Application},%{DATA:VirtualSystem},%{DATA:SourceZone},%{DATA:DestinationZone},%{DATA:InboundInterface},%{DATA:OutboundInterface},%{DATA:LogAction},%{DATA:TimeLogged},%{DATA:SessionID},%{DATA:RepeatCount},%{DATA:SourcePort},%{DATA:DestinationPort},%{DATA:NATSourcePort},%{DATA:NATDestinationPort},%{DATA:Flags},%{DATA:Protocol},%{DATA:Action},%{DATA:Bytes},%{DATA:BytesSent},%{DATA:BytesReceived},%{DATA:Packets},%{DATA:StartTime},%{DATA:ElapsedTime},%{DATA:Category},%{DATA:future_use},%{DATA:Serial},%{DATA:ActionFlags},%{DATA:SourceCountry},%{DATA:DestinationCountry},%{DATA:future_use},%{DATA:PacketsSent},%{DATA:PacketsReceived},%{DATA:SessionEndReason}," }
        remove_field => ["future_use", "Serial", "GenerateTime"]
    }
  # Threat Logs
  grok {
    match => { "message" => "%{DATA:future_use},%{DATA:ReceiveTime},%{DATA:Serial},(?<Type>THREAT),%{DATA:ThreatType},%{DATA:future_use},%{DATA:GenerateTime},%{IP:SourceAddress},%{IP:DestinationAddress},%{DATA:NATSourceIP},%{DATA:NATDestinationIP},%{DATA:Rule},%{DATA:SourceUser},%{DATA:DestinationUser},%{DATA:Application},%{DATA:VirtualSystem},%{DATA:SourceZone},%{DATA:DestinationZone},%{DATA:InboundInterface},%{DATA:OutboundInterface},%{DATA:LogAction},%{DATA:TimeLogged},%{DATA:SessionID},%{DATA:RepeatCount},%{DATA:SourcePort},%{DATA:DestinationPort},%{DATA:NATSourcePort},%{DATA:NATDestinationPort},%{DATA:Flags},%{DATA:Protocol},%{DATA:Action},%{DATA:URL_Filename},%{DATA:ThreatID},%{DATA:Category},%{DATA:Severity},%{DATA:Direction},%{DATA:SequenceNumber},%{DATA:ActionFlags},%{DATA:SourceCountry},%{DATA:DestinationCountry}," }
        remove_field => ["future_use", "Serial", "GenerateTime", "SequenceNumber"]
    }
  # URL  Log
#  grok {
#    match => { "message" => "%{DATA:future_use},%{DATA:ReceiveTime},%{DATA:Serial},(?<Type>THREAT),(?<ThreatType>url),%{DATA:future_use},%{DATA:GenerateTime},%{IP:SourceAddress},%{IP:DestinationAddress},%{DATA:NATSourceIP},%{DATA:NATDestinationIP},%{DATA:Rule},%{DATA:SourceUser},%{DATA:DestinationUser},%{DATA:Application},%{DATA:VirtualSystem},%{DATA:SourceZone},%{DATA:DestinationZone},%{DATA:InboundInterface},%{DATA:OutboundInterface},%{DATA:LogAction},%{DATA:TimeLogged},%{DATA:SessionID},%{DATA:RepeatCount},%{DATA:SourcePort},%{DATA:DestinationPort},%{DATA:NATSourcePort},%{DATA:NATDestinationPort},%{DATA:Flags},%{DATA:Protocol},%{DATA:Action},%{DATA:URL_Filename},%{DATA:ThreatID},%{DATA:Category},%{DATA:Severity},%{DATA:Direction},%{DATA:SequenceNumber},%{DATA:ActionFlags},%{DATA:SourceCountry},%{DATA:DestinationCountry}," }
#       remove_field => ["future_use", "Serial", "GenerateTime", "SequenceNumber"]
#    }
 #vulnerability  Logs
#  grok {
#    match => { "message" => "%{DATA:future_use},%{DATA:ReceiveTime},%{DATA:Serial},(?<Type>THREAT),(?<ThreatType>vulnerability),%{DATA:future_use},%{DATA:GenerateTime},%{IP:SourceAddress},%{IP:DestinationAddress},%{DATA:NATSourceIP},%{DATA:NATDestinationIP},%{DATA:Rule},%{DATA:SourceUser},%{DATA:DestinationUser},%{DATA:Application},%{DATA:VirtualSystem},%{DATA:SourceZone},%{DATA:DestinationZone},%{DATA:InboundInterface},%{DATA:OutboundInterface},%{DATA:LogAction},%{DATA:TimeLogged},%{DATA:SessionID},%{DATA:RepeatCount},%{DATA:SourcePort},%{DATA:DestinationPort},%{DATA:NATSourcePort},%{DATA:NATDestinationPort},%{DATA:Flags},%{DATA:Protocol},%{DATA:Action},%{DATA:URL_Filename},%{DATA:ThreatID},%{DATA:Category},%{DATA:Severity},%{DATA:Direction},%{DATA:SequenceNumber},%{DATA:ActionFlags},%{DATA:SourceCountry},%{DATA:DestinationCountry}," }
#       remove_field => ["future_use", "Serial", "GenerateTime", "SequenceNumber"]
#    }
}
output {
if [Type] == "TRAFFIC" {
   elasticsearch {
     hosts => ["localhost:9200"]
     index => "traffic_logs-%{+YYYY.MM.dd}"
     }
   }
else if [Type] == "THREAT" {
   elasticsearch {
     hosts => ["localhost:9200"]
     index => "threat_logs-%{+YYYY.MM.dd}"
     }
   }
#if [Type] == "THREAT" and [ThreatType] == url {
#   elasticsearch {
#     hosts => ["localhost:9200"]
#     index => "url_logs-%{+YYYY.MM.dd}"
#     }
#   }
#if [Type] == "THREAT" and [ThreatType] == vulnerability  {
#   elasticsearch {
#     hosts => ["localhost:9200"]
#     index => "vulnerability_logs-%{+YYYY.MM.dd}"
#     }
#   }

}

I originally wanted to create a different index for TRAFFIC logs/THREAT logs/THREAT logs ThreatType:url/THREAT logs ThreatType:vulnerability

Tried a variety of settings. Use the check command to show OK. But there is no data input to elasticsearch.

system · November 15, 2022, 9:41am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.