Palo Alto [SIEM]

Hi, everyone

I have tested with Palo Alto module (Filebeat 7.5.2). I have used this module with Syslog and File inputs.

Syslog

- module: panw
  panos:
    enabled: true
    var.syslog_host: 0.0.0.0
    var.syslog_port: 514

File

- module: panw
  panos:
    enabled: true
    var.input: file
    var.paths: ["/var/log/palo-alto/messages.log"]

It has parsed Palo Alto information very well. However, on SIEM, it shows the hostname in which Filebeat has been installed (in my case labs-eshost7).

Moreover, on Discover, there are some fields related to hostname.

  • agent.hostname: labs-eshost7
  • host.name: labs-eshost7 (SIEM use this field)
  • hostname: "firewall-name"
  • observer.hostname: "firewall-name"

Is it possible to use a different field instead of host.name? or Is it possible to copy the value of hostname or observer.hostname into host.name?

Regards :vulcan_salute:

4 Likes

Yes, we're aware of this limitation. Beats used to hardcode host.name to the host they're running on, which is misleading for events received from remote hosts.

Starting on 7.9.0, Filebeat will add the correct host.name in the case of PANW and all other modules which receive data from remote systems.

As a quick workaround, you can add the following processor to the main filebeat.yml:

  - convert:
      fields:
          - {from: observer.hostname, to: host.name}
      ignore_missing: true
      when.equals.event.dataset: 'panw.panos'

And make sure you undo this when migrating to 7.9+

1 Like

Hi, @adrisr

Thanks for the answer :grinning:

Thanks in advance,

Regards