error 400

[Prakashlakhera]

while executing curl -XPUT http://:9200/_template/panos-traffic?pretty -H 'Content-Type: application/json' -d @traffic_template_mapping-v1.json curl -XPUT http://:9200/_template/panos-threat?pretty -H 'Content-Type: application/json' -d @threat_template_mapping-v1.json

on ELK 6.4.2 i am getting type error:

{"error":"Content-Type header [application/json] is not supported", "status":406}

[acecase]

Anyone bumping in to this, it is probably because you are running elk 7+ punisherVX has posted updated versions of the json files. For me his traffic template worked out of the box, and his thread template just needed a small adjustment (remove the "default" block that starts on line 8) Hope it helps, and I hope sm-biz and shadow-box keep these things going. They're really nice.

[KeshavChaurasia]

thank you so much.. it worked

[justinegumba24]

Hi @acecase @KeshavChaurasia . I am using these method also both on CentOS (ELK 7) + Ubuntu (ELK 6). Timezone is Asia/Manila. Unfortunately, threat is not showing up while traffic+config+system logs shows on INDEX. I am stuck here for 2 weeks and I am still finding way/logs on how to correct this one.

I hope someone can help me understand.

[KeshavChaurasia]

Hi @justinegumba24 index appears only when data come. For index to be created you need to simulate some threats. Only after that threat index appears.

[justinegumba24]

Hi @justinegumba24 index appears only when data come. For index to be created you need to simulate some threats. Only after that threat index appears.

@KeshavChaurasia yes I am simulating threat logs and at the same time I am sure that I have some threats for 2 weeks from informational to critical. Any other ideas?

[KeshavChaurasia]

threat_template_mapping-7.x.json.txt

@justinegumba24 Remove .txt at the end. it was not uploading as json file. This config worked from me

[justinegumba24]

@KeshavChaurasia I will try it now and will give feedback as soon as possible. Thanks!

[justinegumba24]

@KeshavChaurasia unfortunately it was the same as mine and it is still not working. I followed the Log Forwarding Profile each for traffic, threat, url and wildfire in Palo Alto. Also on Syslog, I am using UDP 5514 with Facility LOG_USER. Palo Alto version: 9.0.7

How about you?

[KeshavChaurasia]

@justinegumba24 I also have the same configurations.

[justinegumba24]

@KeshavChaurasia I recreated my whole Syslog and Log Forwarding Profiles. Surprisingly it works. It seems that the threat is forwarding to port 514 and the rest is 5514. I am not sure about this. Need to learn more. Thanks!