Hi,
I have created a logstash filter to parse palo alto syslog. Below is the configuration.
filter {
if [fields][node_type] == "firewall" {
if [message] =~ /-- MARK --/ { drop {}}
if [message] =~ /last message repeated/ { drop {}}
grok {
match => { "message" => "^(%{SYSLOGTIMESTAMP:syslog_timestamp}|%{TIMESTAMP_ISO8601:syslog_timestamp}|)%{DATA:syslog_message}$"}
tag_on_failure => ["_syslog_timestamp_grokparsefailure"]
}
grok {
match => { "syslog_message" => "^\s*%{HOSTNAME:syslog_source}(:|)\s+%{DATA:syslog_message}$"}
overwrite => ["syslog_message"]
tag_on_failure => ["_syslog_source_grokparsefailure"]
}
if [syslog_message] =~ /1,\d+\/\d+\/\d+ \d+:\d+:\d+,\d+,\w+/ {
mutate {
rename => { "syslog_message" => "palo_message" }
}
}
}
}
filter {
if [palo_message] {
mutate {
add_tag => "palo_firewall"
replace => { "type" => "firewall-palo" }
gsub => [
"palo_message", ",,", ",0,"
]
}
}
grok {
match => { "palo_message" => "1,(?<event.receive>\d+\/\d+\/\d+ \d+:\d+:\d+),(?<device.serial>\d+),(?<event.type>\w+),(?<event.subtype>[\w.-]+),\d+,(?<event.created>\d+\/\d+\/\d+ \d+:\d+:\d+),(?<device.vsys>\w+),(?<event.eventID>[\w.-]+),(?<event.object>[\w.-]+),\d+,\d+,(?<event.module>\w+),(?<event.severity>\w+),(?<event.description>(\".*\")|-),(?<event.seqno>\w+),(?<event.action_flag>\w+),(?<event.devH_g1>\d+),(?<event.devH_g2>\d+),(?<event.devH_g3>\d+),(?<event.devH_g4>\d+),(?<event.vsys_name>\w+),(?<event.device_name>[\w.-]+)"}
tag_on_failure => ["_palo_event_module_grokparsefailure"]
}
date {
timezone => "UTC"
match => [ "event.created", "yyyy/MM/dd HH:mm:ss.SSSZ" ]
}
}
in kibana, the event.created is showing time time 10 hours ahead
would really appreciate any help