search

Graylog2 / graylog2-server

Free and open log management
https://www.graylog.org
Other
7.37k stars 1.06k forks source link

Palo Alto Input not parsing `VendorFields.VENDOR_PRIVATE_IP`, field is either NOT present when it should be or contains 0.0.0.0 #17044

Open drewmiranda-gl opened 12 months ago

drewmiranda-gl commented 12 months ago

Palo Alto Networks TCP (PAN-OS v9+) input not parsing VendorFields.VENDOR_PRIVATE_IP, field is either NOT present when it should be or contains 0.0.0.0

Initially investigating why pan_event_name: gateway-getconfig is not parsing the virtual ip (IP handed out by Global Protect gateway, internal IP used on that network).

Looking at the mappings via https://github.com/Graylog2/graylog2-server/blob/master/graylog2-server/src/main/java/org/graylog/integrations/inputs/paloalto9/PaloAlto9xTemplates.java#L242 and comparing to the comma separated message, the fields line up correctly, the data is in the message, so it is unclear why its not being parsed.

Expected Behavior

VENDOR_PRIVATE_IP is parsed from the palo alto log message

Current Behavior

VENDOR_PRIVATE_IP is either missing from message it should exist for, OR VENDOR_PRIVATE_IP only has 0.0.0.0

Possible Solution

Steps to Reproduce (for bugs)

1. 2. 3. 4.

Context

This is related to a deal we're working on closing and is very important for tracking users/devices against their virtual IP.

Your Environment

drewmiranda-gl commented 12 months ago

I don't want to share full data publicly, but please refer to https://github.com/Graylog2/graylog-project-illuminate/issues/1712