Update Palo Alto Input

[bud1979]

Description

The current Palo Alto Plugin is good for PAN OS version 8.1, and previous. In the current version (9.1 currently) additional fields were added around SDWAN, and additional changes to logging have been made.

What

We need to update the PAN Input for the new meta data fields in the THREAT,TRAFFIC, SYSTEM fields like updated HERE but would be good to think about including Authentication and User-ID Log types, as they have valuable information as well.

Also, need to map to current Graylog Schema

Why

Keep updated on current technologies, and keep the built in inputs mapped to the Graylog Schema

[jalogisch]

some added Information from the community: https://community.graylog.org/t/unable-to-import-palo-alto-networks-content-packs/15187/4?u=jan

[theabraxas]

I wanted to chime in on this and try to add some context from my paloalto experience. Today it looks like we're getting THREAT, TRAFFIC, and SYSTEM logs from the enterprise plugin but there are actually quite a few other log types available per what @bud1979 mentioned. As of today on version 9.1.2 I see these options:

I think for most organizations, the most important ones would be:

THREAT TRAFFIC SYSTEM URL CORRELATION GLOBALPROTECT

And the remaining as important but secondary: CONFIG WILDFIRE DATA HIP User-ID, etc.

I'm happy to help out with testing/working on ways to get more formats supported by the enterprise plugin. There are also ways to tell the paloalto devices how to reformat their log output types which I could experiment with if that would help.

This section and the sections immediately below of the PAN documentation provide field mapping information: https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/traffic-log-fields.html

Please let me know if I can assist with any testing.

[bud1979]

Hi @theabraxas,

I was looking at the notes you put and the screenshot, and was trying to match them up to the ones in their documentation. Most match, but ones like WildFire, Data, URL, I don't see a direct mapping to their guide, and assume it might be a pulled from the other fields. Do you have any examples of what lives in those tabs?

[theabraxas]

For Wildfire I found this remark: WildFire Submissions logs are a subtype of Threat log and use the same syslog format. I think the Data logs are as well.

It also appears that URL logs might be a part of the traffic log even though the firewall UI distinguishes them and the log viewer on the device has different categories for them.

I have a test unit I will set up this weekend and see if I can get a few logs to compare.

[bud1979]

Yea, that make sense they are mixing them together. If you do set up a test box, and get some logs from them, would you be willing to upload them so we can use them to create and test the new integration? I can set up a spot to share the files as well. Thanks!

[Houtek]

I could help with 3+ Palo Alto clusters as well. We have several boxes with 8.1.x, 9.0.x and 9.1.x running.

[bud1979]

Hi Houtek,

Is there a way to get some sample logs from your device? That would help us along in creating working examples, and testing our stuff. Anything for 9 & 9.1 would be awesome.

Thanks

[Houtek]

Hi, I've added a few log excerpts from traffic and threat logs from PANOS 9.0.5 and 9.1.2. If you need other types I'd have to check first, what can be obfuscated that the output it is usable. pan-logs.txt

[bud1979]

Thank you for the logs, always appreciate it.