search

Graylog2 / graylog-plugin-integrations

A collection of open source Graylog integrations that will be released together.
Other
14 stars 14 forks source link

Update PaloAlto9xTemplates.java #1283

Closed giveen closed 1 year ago

giveen commented 1 year ago

Addressed ERROR [PaloAltoTypeParser] Error parsing field application_response_time, auto is not a valid numeric value

Notes for Reviewers

CLAassistant commented 1 year ago

CLA assistant check
All committers have signed the CLA.

giveen commented 1 year ago

@kingzacko1 can you take a look at this sometime soon?

giveen commented 1 year ago

@ryan-carroll-graylog

kingzacko1 commented 1 year ago

@giveen do you have more information that you can provide as to why this change is necessary? The application_response_time field is one that should be coming in as a number and auto seems to rightly be being rejected because it is not a number.

kingzacko1 commented 1 year ago

@giveen From the Palo Alto documentation, it looks like that field is supposed to be in milliseconds. I'm curious where you are getting an auto from. Do you have some sample logs with the value that is throwing this error that we can look at?

giveen commented 1 year ago

@giveen From the Palo Alto documentation, it looks like that field is supposed to be in milliseconds. I'm curious where you are getting an auto from. Do you have some sample logs with the value that is throwing this error that we can look at?

So it looks like from my analysis, that the log is actually coming in like this:

Pre-tunnel latency: 96ms, Post-tunnel latency: 79ms,

here is a santized log:

1,2023/03/13 11:58:52,019901000640,GLOBALPROTECT,0,2561,2023/03/13 11:58:52,vsys1,gateway-tunnel-latency,tunnel,,,RxxxxxBxxxxxx@bxxxxx.xxx,,Cxxx-Rxxxx3,7x.17x.22x.22x,0.0.0.0,0.0.0.0,0.0.0.0,4a3e9ba0-c367-4a13-b91a-b628ed11abb9,014746613553,5.2.12,,,1,,,"Pre-tunnel latency: 96ms, Post-tunnel latency: 79ms",success,,0,,0,Bxxxxxxx-GP-Gateway,7209637389893909524,0x8000000000000000,2023-03-13T11:58:53.297-06:00,,,,,,17,18,24,2643,,fw-5xxx-101xxxx-204-01,1

And here is one with the "auto" in it

1,2023/03/13 12:00:37,019901000640,GLOBALPROTECT,0,2561,2023/03/13 12:00:37,vsys1,gateway-auth,login,SAML,,Hxxxxxx@bxxxxxx.xxx,US,Hadleys-MacBook-Pro,6x.6x.2xx.19,0.0.0.0,0.0.0.0,0.0.0.0,3c:06:30:14:dc:67,FVFG24VHQ05D,5.2.12,Mac,"Apple Mac OS X 11.4.0",1,,,,success,,0,on-demand,0,Bxxxxxxx-GP-Gateway,7209637389893909565,0x8000000000000000,2023-03-13T12:00:38.468-06:00,auto,0,manual only,,vxxx.bxxxxx.xxxx,17,18,24,2643,,fw-xxxxx-101mec-204-01,1
kingzacko1 commented 1 year ago

So after digging into this a bit, it looks like the issue is not the type of this field (it should indeed be LONG) but rather a missing column in the template.

image

The auto value is actually for the Selection Type field, which should be a string. In that same templates file you've edited, we are missing the High Res Timestamp field. So where we have response time at the 37th index, it should actually be at 38. Once that change is made, the next issue is the Priority field at index 39. We have that marked as a LONG and according to docs it should be a number 0-5, but based on some older PAN articles I found it seems like they may be putting the priority string value in that field instead of the integer value.

kingzacko1 commented 1 year ago

@giveen I have opened up an issue as well as a new PR with the necessary changelog and approvers added. I am going to close this PR, but you can follow along with progress on #1327 and #1328

giveen commented 1 year ago

THanks, I appreciate it.