Skip to content

Commit

Permalink
[Filebeat] module for palo_alto (pan-os) logs (elastic#11999)
Browse files Browse the repository at this point in the history 
This is a module for Palo Alto Networks PAN-OS logs received via Syslog.

It has been tested with logs for PAN-OS version 7.1 to 9.0. However, it is expected to work with earlier versions as the log format is compatible.
  • Loading branch information
@adriansr @ph
adriansr authored and ph committed May 21, 2019
1 parent c4c6d46 commit 11d8046
Show file tree
Hide file tree
Showing 26 changed files with 27,786 additions and 0 deletions.
1 change: 1 addition & 0 deletions CHANGELOG.next.asciidoc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -174,6 +174,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
- Add Filebeat envoyproxy module. {pull}11700[11700]
- Add apache2(httpd) log path (`/var/log/httpd`) to make apache2 module work out of the box on Redhat-family OSes. {issue}11887[11887] {pull}11888[11888]
- Add support to new MongoDB additional diagnostic information {pull}11952[11952]
- New module `palo_alto` for Palo Alto Networks PAN-OS logs. {pull}11999[11999]

*Heartbeat*

Expand Down
242 changes: 242 additions & 0 deletions filebeat/docs/fields.asciidoc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,7 @@ grouped in the following categories:
* <<exported-fields-netflow-module>>
* <<exported-fields-nginx>>
* <<exported-fields-osquery>>
* <<exported-fields-palo_alto>>
* <<exported-fields-postgresql>>
* <<exported-fields-process>>
* <<exported-fields-redis>>
Expand Down Expand Up @@ -11822,6 +11823,247 @@ Unix timestamp of the event, in seconds since the epoch. Used for computing the
String representation of the collection time, as formatted by osquery.
--
[[exported-fields-palo_alto]]
== palo_alto fields
Module for Palo Alto Networks (PAN-OS)
[float]
== palo_alto fields
Fields from the palo_alto logs.
[float]
== pan_os fields
Fields for the Palo Alto Networks PAN-OS logs.
*`palo_alto.pan_os.ruleset`*::
+
--
type: keyword
Name of the rule that matched this session.
--
[float]
== source fields
Fields to extend the top-level source object.
*`palo_alto.pan_os.source.zone`*::
+
--
type: keyword
Source zone for this session.
--
*`palo_alto.pan_os.source.interface`*::
+
--
type: keyword
Source interface for this session.
--
[float]
== nat fields
Post-NAT source address, if source NAT is performed.
*`palo_alto.pan_os.source.nat.ip`*::
+
--
type: ip
Post-NAT source IP.
--
*`palo_alto.pan_os.source.nat.port`*::
+
--
type: long
Post-NAT source port.
--
[float]
== destination fields
Fields to extend the top-level destination object.
*`palo_alto.pan_os.destination.zone`*::
+
--
type: keyword
Destination zone for this session.
--
*`palo_alto.pan_os.destination.interface`*::
+
--
type: keyword
Destination interface for this session.
--
[float]
== nat fields
Post-NAT destination address, if destination NAT is performed.
*`palo_alto.pan_os.destination.nat.ip`*::
+
--
type: ip
Post-NAT destination IP.
--
*`palo_alto.pan_os.destination.nat.port`*::
+
--
type: long
Post-NAT destination port.
--
[float]
== network fields
Fields to extend the top-level network object.
*`palo_alto.pan_os.network.pcap_id`*::
+
--
type: keyword
Packet capture ID for a threat.
--
*`palo_alto.pan_os.network.nat.community_id`*::
+
--
type: keyword
Community ID flow-hash for the NAT 5-tuple.
--
[float]
== file fields
Fields to extend the top-level file object.
*`palo_alto.pan_os.file.hash`*::
+
--
type: keyword
Binary hash for a threat file sent to be analyzed by the WildFire service.
--
[float]
== url fields
Fields to extend the top-level url object.
*`palo_alto.pan_os.url.category`*::
+
--
type: keyword
For threat URLs, it's the URL category. For WildFire, the verdict on the file and is either 'malicious', 'grayware', or 'benign'.
--
*`palo_alto.pan_os.flow_id`*::
+
--
type: keyword
Internal numeric identifier for each session.
--
*`palo_alto.pan_os.sequence_number`*::
+
--
type: long
Log entry identifier that is incremented sequentially. Unique for each log type.
--
*`palo_alto.pan_os.threat_file_or_url`*::
+
--
type: keyword
URL or file name for a threat.
--
*`palo_alto.pan_os.threat_id`*::
+
--
type: keyword
Palo Alto Networks identifier for the threat.
--
[[exported-fields-postgresql]]
Expand Down
Loading

0 comments on commit 11d8046

Please sign in to comment.