Palo Alto [SIEM]

RdrgPorto · June 18, 2020, 3:27pm

Hi, everyone

I have tested with Palo Alto module (Filebeat 7.5.2). I have used this module with Syslog and File inputs.

Syslog

- module: panw
  panos:
    enabled: true
    var.syslog_host: 0.0.0.0
    var.syslog_port: 514

File

- module: panw
  panos:
    enabled: true
    var.input: file
    var.paths: ["/var/log/palo-alto/messages.log"]

It has parsed Palo Alto information very well. However, on SIEM, it shows the hostname in which Filebeat has been installed (in my case labs-eshost7).

Moreover, on Discover, there are some fields related to hostname.

agent.hostname: labs-eshost7
host.name: labs-eshost7 (SIEM use this field)
hostname: "firewall-name"
observer.hostname: "firewall-name"

Is it possible to use a different field instead of host.name? or Is it possible to copy the value of hostname or observer.hostname into host.name?

Regards

adrisr · June 19, 2020, 2:18pm

Yes, we're aware of this limitation. Beats used to hardcode host.name to the host they're running on, which is misleading for events received from remote hosts.

Starting on 7.9.0, Filebeat will add the correct host.name in the case of PANW and all other modules which receive data from remote systems.

As a quick workaround, you can add the following processor to the main filebeat.yml:

  - convert:
      fields:
          - {from: observer.hostname, to: host.name}
      ignore_missing: true
      when.equals.event.dataset: 'panw.panos'

And make sure you undo this when migrating to 7.9+

RdrgPorto · June 19, 2020, 2:27pm

Hi, @adrisr

Thanks for the answer

Thanks in advance,

Regards

system · July 17, 2020, 2:27pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.