Elastic Cluster Version 7.14.0. I am using Elastic-Agent and the PANW integration to ingest Palo Alto Firewall logs. Once ingested the event times are incorrect by the equivalent of the timezone offset. I have found articles on how to resolve this with Filebeat and associated module but I'm struggling on how to achieve this in the Elastic-Agent and integration world. I'm referencing https://discuss.elastic.co/t/panw-module-timezone-offset/191360
When I view the record there is no event.timezone field. I have tried to add to the integration processor as follows (I have left the drop_fields line in ):
Hi there @neil6323 . Thanks for reporting the issue
The issue with the integration is that from what I can see, timezone is never included in the logs itself, so there is no way for us to determine timezone.
Usually there is 2 options here when the source does not include a timezone:
You can define a custom timezone for the data itself.
What if we add a option in the integration page to fill in the timezone you want to use? So when you setup the Panw integration policy, in the settings page where you define all your settings, we can have a field to define timezone as well, which defaults to the local timezone of the beat?
Hi Marius,
Thanks for your response. Yes, your understanding is spot on. Ultimately, this issue down to no timezone being sent in the log. And the onward effect is that the external threat reporting is all out of sync.
I think the option you've given to add a timezone in the settings page would solve the problem nicely.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.
