The Cribl Pack for Palo Alto Networks Firewalls processes events with the following goals in mind:
You should expect to see 15-30% reduction in the size of your Palo Alto Firewall log data.
(sourcetype=='pan:log' || sourcetype=='pan_log' || /^[^,]+,[^,]+,[^,]+,(THREAT|TRAFFIC|SYSTEM|CONFIG|HIPMATCH|CORRELATION|USERID|GLOBALPROTECT),/.test(_raw))cribl-palo-alto-networks pack as the pipeline.pan_default_index) inside the Pack with the appropriate Splunk index for your Palo Alto logs. By default, the index field will be set to pan_logs.This pack assumes firewalls currently use UTC/GMT for their time zone configuration. If any device uses a local time zone, please configure an entry in the device_info.csv lookup file (located in the pack's Knowledge content) to adjust timestamps with the timezone of the firewall. The timezone acts as the offset to adjust the timestamp of the event to UTC with the Auto Timestamp function.
The lookup file expects data in two columns: host and tz.
The host field accepts a regular expression to match the hostname of the firewall. The most specific regex in the lookup will be used to match the timezone.
Consider an example with the following hostnames using a standard naming convention. The format follows this pattern:
FW stringHere are some example hostnames:
FW-US-MO-KC-01FW-US-MO-KC-02FW-US-MO-STL-01FW-US-TX-DFW-01FW-US-TX-AUS-01FW-US-TX-ELP-01FW-UK-LON-01FW-JP-HND-01The first 5 examples are in the US Central time zone. El Paso, Texas (ELP) observes Mountain Time. The final two examples are London and Tokyo, in the Europe/London and Asia/Tokyo time zones, respectively.
A regex of FW-\d+ would match all firewalls, and a specific regex of FW-US-MO-KC-\d+ would only match the firewalls in the Kansas City data center. Matches for FW-US-MO-KC\d+ will take higher precedence over the FW-\d+ regex. This functionality can be used to match specific firewalls or groups of firewalls and provide a timezone for each with increasing precedence. More information about this behavior is provided on the Cribl Documentation Lookup Function page.
Time zones are configured using Olson formatted timezones (e.g. America/Chicago) C.Time.adjustTZ. A listing of time zones can be found here.
Cribl uses a third-party library, timezone-support, to import timezone definitions. As of the time of writing, Cribl uses version 2.0.2 of this package which supports all time zones up to the 2019a release of the IANA Time Zone Database, but may include more up-to-date entries. Please verify before using a specific timezone. All changes to the timezone database since 2016 can be found here.
Here is an example lookup file based on the scenario above utilizing increasing regex specificity for timezone matching:
host,tz
FW-US-.*,America/Chicago
FW-US-TX-ELP-.*,America/Denver
FW-JP-.*,Asia/Tokyo
FW-UK-.*,Europe/LondonFirewalls not matching any entry in this list would be assumed to currently have timestamps in UTC.
src_dvc_profile field to the serializer functionindex and source field values. Change in one location instead of every pipeline!pan_device_name_as_host to use set the host field value from the dvc_host field value instead of the syslog header.PAN to cribl-palo-alto-networks to match naming convention of Cribl built Packs.device_info.csv now uses Olson formatted timezones (e.g. America/Chicago) instead of static offsets and the C.Time.adjustTZ function for better time zone support. A listing of time zones can be found here.indexOf filter instead of test for higher performance. device_info.csv lookup file and lookup function in pipelines to adjust time zones per firewall.Discuss this pack on our Community Slack channel #packs.
The author of this pack is Brendan Dalpe and can be contacted at bdalpe@cribl.io.
This Pack uses the following license: Apache 2.0.