Palo Alto [SIEM]

Hi, everyone

I have tested with Palo Alto module (Filebeat 7.5.2). I have used this module with Syslog and File inputs.


- module: panw
    enabled: true
    var.syslog_port: 514


- module: panw
    enabled: true
    var.input: file
    var.paths: ["/var/log/palo-alto/messages.log"]

It has parsed Palo Alto information very well. However, on SIEM, it shows the hostname in which Filebeat has been installed (in my case labs-eshost7).

Moreover, on Discover, there are some fields related to hostname.

  • agent.hostname: labs-eshost7
  • labs-eshost7 (SIEM use this field)
  • hostname: "firewall-name"
  • observer.hostname: "firewall-name"

Is it possible to use a different field instead of or Is it possible to copy the value of hostname or observer.hostname into

Regards :vulcan_salute:


Yes, we're aware of this limitation. Beats used to hardcode to the host they're running on, which is misleading for events received from remote hosts.

Starting on 7.9.0, Filebeat will add the correct in the case of PANW and all other modules which receive data from remote systems.

As a quick workaround, you can add the following processor to the main filebeat.yml:

  - convert:
          - {from: observer.hostname, to:}
      ignore_missing: true
      when.equals.event.dataset: 'panw.panos'

And make sure you undo this when migrating to 7.9+

1 Like

Hi, @adrisr

Thanks for the answer :grinning:

Thanks in advance,


This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.