Panw Schema Bugs in Bytes Sent/Received and Packets Sent/Received

There are some inconsistencies in the way the bytes sent/received and packets sent/received are being mapped in the panw module for filebeat. According to ECS the traditional "bytes_sent" would be mapped to "client.bytes" and/or "source.bytes", and "bytes_received" would be mapped to "server.bytes" and/or "destination.bytes". "packets_sent" would be mapped to "client.packets" and/or "source.packets", and "packets_received" would be mapped to "server.packets" and/or "destination.packets". This is not how panw has been implemented.

References:

Column 32

  • PAN-OS Documentation: "Bytes Sent" from client-to-server
  • PANW Parse: "client.bytes", "destination.bytes"
  • Should be: "client.bytes", "source.bytes"
  • Lines Affected: 75, 76

Column 33

  • PAN-OS Documentation: "Bytes Received" from server-to-client direction
  • PANW Parse: "server.bytes", "source. bytes"
  • Should be: "server.bytes", "destination.bytes"
  • Lines Affected: 77, 78

Column 44

  • PAN-OS Documentation: "Packets Sent" from client-to-server direction
  • PANW Parse: "server.packets", "destination.packets"
  • Should be: "client.packets", "source.packets"
  • Lines Affected: 84, 85

Column 45

  • PAN-OS Documentation: "Packets Received" from server-to-client direction
  • PANW Parse: "client.packets", "source.packets"
  • Should be: "server.packets", "destination.packets"
  • Lines Affected: 86, 87

Any news on this? It would be nice if this was cleared out, as the current implementation seems indeed that it does not follow the ecs guidelines, such as:

Palo Alto:

Bytes Sent (bytes_sent) Number of bytes in the client-to-server direction of the session.
Bytes Received (bytes_received) Number of bytes in the server-to-client direction of the session.

ECS:

source.bytes => Bytes sent from the source to the destination.
destination.bytes => Bytes sent from the destination to the source.

Same for packets.

1 Like