as per title, the following is an example of logs received and parsed by panos beat.
Notice that event.original has been preserved but it's content related to the actual message is lost after parsing.
{
"_index": ".ds-filebeat-8.3.2-2022.07.12-000001",
"_id": "g-ZHIIIBSFUr2RK98qZE",
"_version": 1,
"_score": 0,
"_source": {
"agent": {
"name": "panw-beat-beat-filebeat-sn7wn",
"id": "00469ffe-3751-4cbd-8d9c-a0ea3f4dfb2d",
"ephemeral_id": "7721b1ae-2d39-4b6a-b2bd-3f2c4878591f",
"type": "filebeat",
"version": "8.3.2"
},
"log": {
"source": {
"address": "192.168.195.62:57745"
}
},
"syslog": {
"priority": 14,
"facility": 1,
"severity_label": "Informational",
"facility_label": "user-level"
},
"fileset": {
"name": "panos"
},
"panw": {
"panos": {
"sub_type": "vpn",
"type": "SYSTEM"
}
},
"tags": [
"pan-os",
"forwarded",
"_geoip_database_unavailable_GeoLite2-ASN.mmdb",
"_geoip_database_unavailable_GeoLite2-ASN.mmdb"
],
"input": {
"type": "syslog"
},
"observer": {
"product": "PAN-OS",
"vendor": "Palo Alto Networks",
"serial_number": "001701001659",
"type": "firewall"
},
"hostname": "panorama-02.schibsted-it.no",
"@timestamp": "2022-07-21T12:22:38.000Z",
"ecs": {
"version": "1.12.0"
},
"service": {
"type": "panw"
},
"event": {
"severity": 6,
"ingested": "2022-07-21T10:22:42.243427234Z",
"original": "1,2022/07/21 12:22:41,001701001659,SYSTEM,vpn,0,2022/07/21 12:22:38,,ikev2-nego-child-start,ikeGW-SR22189880,0,0,general,informational,\"IKEv2 child SA negotiation is started as responder, rekey. Initiated SA: 152.90.201.42[500]-13.49.81.211[500] message id:0x0000004A.\",24104144,0x8000000000000000,0,0,0,0,,vpn-gw-02",
"timezone": "+00:00",
"created": "2022-07-21T12:22:41.000Z",
"module": "panw",
"dataset": "panw.panos",
"outcome": "success"
}
},
"fields": {
"syslog.facility": [
1
],
"service.type": [
"panw"
],
"observer.vendor": [
"Palo Alto Networks"
],
"hostname": [
"panorama-02.xxxxxxxxxx.no"
],
"agent.type": [
"filebeat"
],
"event.module": [
"panw"
],
"panw.panos.sub_type": [
"vpn"
],
"panw.panos.type": [
"SYSTEM"
],
"observer.product": [
"PAN-OS"
],
"agent.name": [
"panw-beat-beat-filebeat-sn7wn"
],
"event.timezone": [
"+00:00"
],
"event.outcome": [
"success"
],
"event.severity": [
6
],
"event.original": [
"1,2022/07/21 12:22:41,001701001659,SYSTEM,vpn,0,2022/07/21 12:22:38,,ikev2-nego-child-start,ikeGW-SR22189880,0,0,general,informational,\"IKEv2 child SA negotiation is started as responder, rekey. Initiated SA: 152.90.201.42[500]-13.49.81.211[500] message id:0x0000004A.\",24104144,0x8000000000000000,0,0,0,0,,vpn-gw-02"
],
"syslog.priority": [
14
],
"fileset.name": [
"panos"
],
"input.type": [
"syslog"
],
"agent.hostname": [
"panw-beat-beat-filebeat-sn7wn"
],
"tags": [
"pan-os",
"forwarded",
"_geoip_database_unavailable_GeoLite2-ASN.mmdb",
"_geoip_database_unavailable_GeoLite2-ASN.mmdb"
],
"observer.serial_number": [
"001701001659"
],
"event.ingested": [
"2022-07-21T10:22:42.243Z"
],
"syslog.severity_label": [
"Informational"
],
"@timestamp": [
"2022-07-21T12:22:38.000Z"
],
"agent.id": [
"00469ffe-3751-4cbd-8d9c-a0ea3f4dfb2d"
],
"ecs.version": [
"1.12.0"
],
"observer.type": [
"firewall"
],
"log.source.address": [
"192.168.195.62:57745"
],
"event.created": [
"2022-07-21T12:22:41.000Z"
],
"syslog.facility_label": [
"user-level"
],
"agent.ephemeral_id": [
"7721b1ae-2d39-4b6a-b2bd-3f2c4878591f"
],
"agent.version": [
"8.3.2"
],
"event.dataset": [
"panw.panos"
]
}
}