Schema Bug in Filebeat panw Module

Greetings! Hope all is well.

I've been testing out the Palo Alto module on Filebeat version 7.2.1 with some of our internal PAN-OS Traffic and Threat syslogs. I believe I found a bug in the Threat schema.

In the Filebeat module, Source Location and Destination Location fields for Threat syslogs are being piped directly into source.geo.country_iso_code and destination.geo.country_iso_code, which can be seen in beats/x-pack/filebeat/module/panw/panos/config/input.yml on the beats Github repo, lines 133 and 134. According to the PAN-OS documentation however, the Source Location and Destination Location fields for threat logs can also contain "Internal region for private addresses".

This means that in our ES cluster we can see Threat syslog events from the panw module where source/destination.country_iso_code is set to a private IP range, such as This impacts us negatively because we have to filter out private subnets when creating region maps for our threat syslogs (i.e. not destination.geo.country_iso_code:"" and not destination.geo.country_iso_code...).

If possible, we'd like for the country_iso_code field to only be populated with actual country ISO codes, to prevent confusion and for the sake of consistency.


Hi there,

I went ahead and opened an issue on your behalf in You can track the progress there.

Awesome sounds good- thank you! In the future, should I report issues like these straight onto the repository? Or continue to create a post in the forum first?

If you're certain it is a bug you can go ahead and open it directly on the repository. Otherwise, we can always discuss it here first and either give you feedback so that you can open it yourself or open it on your behalf.

Cheers !