search

splunk / splunk-connect-for-syslog

Splunk Connect for Syslog
Apache License 2.0
152 stars 108 forks source link

PANOS App-Parser Enhancement #2304

Closed makal27 closed 8 months ago

makal27 commented 9 months ago

What is the sc4s version ? 3.14.0 Is there a pcap available? No What the vendor name? Palo Alto Networks What's the product name? panos Feature Request description: additional parsing for Decryption and Authentication log subtypes Should it support TCP or UDP? N/A Do you want to have it for local usage or prepare a github PR? Ideally, a PR.

Below is an updated app-parser for the 'app-syslog-pan_panos.conf' configuration file, that I have implemented successfully:

Changes include the addition of extractions for Decryption and Authentication logs, which subsequently fixes the hostname extraction from the "pan_forwarder" field.

block parser app-syslog-pan_panos() {
 channel {
        rewrite {
            r_set_splunk_dest_default(
                index(“netops”)
                sourcetype(‘pan:log’)
                vendor(“pan”)
                product(‘panos’)
                template(‘t_msg_only’)
            );
            set(“$HOST”, value(“fields.pan_forwarder”), condition( program(‘logforwarder’ type(string))));
        };

        if (message(‘,THREAT,’ type(string) flags(substring))) {
            parser {
                csv-parser(
                    columns(“future_use1”,“receive_time”,“serial_number”,“type”,“log_subtype”,“version”,“generated_time”,“src_ip”,“dest_ip”,“src_translated_ip”,“dest_translated_ip”,“rule”,“src_user”,“dest_user”,“app”,“vsys”,“src_zone”,“dest_zone”,“src_interface”,“dest_interface”,“log_forwarding_profile”,“future_use3",“session_id”,“repeat_count”,“src_port”,“dest_port”,“src_translated_port”,“dest_translated_port”,“session_flags”,“transport”,“action”,“misc”,“threat”,“raw_category”,“severity”,“direction”,“sequence_number”,“action_flags”,“src_location”,“dest_location”,“future_use4”,“content_type”,“pcap_id”,“file_hash”,“cloud_address”,“url_index”,“user_agent”,“file_type”,“xff”,“referrer”,“sender”,“subject”,“recipient”,“report_id”,“devicegroup_level1”,“devicegroup_level2",“devicegroup_level3”,“devicegroup_level4",“vsys_name”,“dvc_name”)
                    prefix(“.values.“)
                    delimiters(‘,’)
                    quote-pairs(‘“”’)
                    flags(escape-double-char)
                );
            };
            rewrite {
                r_set_splunk_dest_update_v2(
                    index(‘netproxy’)
                    class(‘threat’)
                    sourcetype(‘pan:threat’)
                );
            };
        } elif (message(‘,TRAFFIC,’ type(string) flags(substring))) {
            parser {
                csv-parser(
                    columns(“future_use1",“receive_time”,“serial_number”,“type”,“log_subtype”,“version”,“generated_time”,“src_ip”,“dest_ip”,“src_translated_ip”,“dest_translated_ip”,“rule”,“src_user”,“dest_user”,“app”,“vsys”,“src_zone”,“dest_zone”,“src_interface”,“dest_interface”,“log_forwarding_profile”,“future_use3”,“session_id”,“repeat_count”,“src_port”,“dest_port”,“src_translated_port”,“dest_translated_port”,“session_flags”,“transport”,“action”,“bytes”,“bytes_out”,“bytes_in”,“packets”,“start_time”,“duration”,“http_category”,“future_use4",“sequence_number”,“action_flags”,“src_location”,“dest_location”,“future_use5”,“packets_out”,“packets_in”,“session_end_reason”,“devicegroup_level1”,“devicegroup_level2",“devicegroup_level3”,“devicegroup_level4",“vsys_name”,“dvc_name”)
                    prefix(“.values.“)
                    delimiters(‘,’)
                    quote-pairs(‘“”’)
                    flags(escape-double-char)
                );
            };
            rewrite {
                r_set_splunk_dest_update_v2(
                        index(‘netfw’)
                        class(‘traffic’)
                        sourcetype(‘pan:traffic’)
                );
            };
        } elif (message(‘,SYSTEM,’ type(string) flags(substring))) {
            parser {
                csv-parser(
                    columns(“future_use1",“receive_time”,“serial_number”,“type”,“log_subtype”,“version”,“generated_time”,“vsys”,“event_id”,“object”,“future_use3",“future_use4”,“module”,“severity”,“description”,“sequence_number”,“action_flags”,“devicegroup_level1”,“devicegroup_level2",“devicegroup_level3”,“devicegroup_level4",“vsys_name”,“dvc_name”)
                    prefix(“.values.“)
                    delimiters(‘,’)
                    quote-pairs(‘“”’)
                    flags(escape-double-char)
                );
            };
            rewrite {
                r_set_splunk_dest_update_v2(
                        index(‘netops’)
                        class(‘system’)
                        sourcetype(‘pan:system’)
                );
            };
        } elif (message(‘,CONFIG,’ type(string) flags(substring))) {
            parser {
                csv-parser(
                    columns(“future_use1",“receive_time”,“serial_number”,“type”,“log_subtype”,“version”,“generated_time”,“host_name”,“vsys”,“command”,“admin”,“client”,“result”,“configuration_path”,“sequence_number”,“action_flags”,“before_change_detail”,“after_change_detail”,“devicegroup_level1",“devicegroup_level2”,“devicegroup_level3",“devicegroup_level4”,“vsys_name”,“dvc_name”)
                    prefix(“.values.“)
                    delimiters(‘,’)
                    quote-pairs(‘“”’)
                    flags(escape-double-char)
                );
            };
            rewrite {
                r_set_splunk_dest_update_v2(
                    index(‘netops’)
                    class(‘config’)
                    sourcetype(‘pan:config’)
                );
            };
        } elif (message(‘,HIPMATCH,’ type(string) flags(substring))) {
            parser {
                csv-parser(
                    columns(“future_use1",“receive_time”,“serial_number”,“type”,“log_subtype”,“version”,“generated_time”,“src_user”,“vsys”,“host_name”,“os”,“src_ip”,“hip_name”,“hip_count”,“hip_type”,“future_use3”,“future_use4",“sequence_number”,“action_flags”,“devicegroup_level1”,“devicegroup_level2",“devicegroup_level3”,“devicegroup_level4",“vsys_name”,“dvc_name”)
                    prefix(“.values.“)
                    delimiters(‘,’)
                    quote-pairs(‘“”’)
                    flags(escape-double-char)
                );
            };
            rewrite {
                r_set_splunk_dest_update_v2(
                    index(‘epintel’)
                    class(‘hipmatch’)
                    sourcetype(‘pan:hipmatch’)
                );
            };
        } elif (message(‘,CORRELATION,’ type(string) flags(substring))) {
            parser {
                csv-parser(
                    columns(“future_use1",“receive_time”,“serial_number”,“type”,“log_subtype”,“version”,“generated_time”,“src_ip”,“src_user”,“vsys”,“category”,“severity”,“devicegroup_level1",“devicegroup_level2”,“devicegroup_level3",“devicegroup_level4”,“vsys_name”,“dvc_name”,“vsys_id”,“object”,“object_id”,“evidence”)
                    prefix(“.values.“)
                    delimiters(‘,’)
                    quote-pairs(‘“”’)
                    flags(escape-double-char)
                );
            };
            rewrite{
                r_set_splunk_dest_update_v2(
                    class(‘correlation’)
                    sourcetype(‘pan:correlation’)
                );
            };
        } elif (message(‘,USERID,’ type(string) flags(substring))) {
            parser {
                csv-parser(
                    columns(“future_use1",“receive_time”,“serial_number”,“type”,“log_subtype”,“version”,“generated_time”,“vsys”,“src_ip”,“source_name”,“event_id”,“repeat_count”,“timeout_threshold”,“src_port”,“dest_port”,“source”,“source_type”,“sequence_number”,“action_flags”,“devicegroup_level1”,“devicegroup_level2",“devicegroup_level3”,“devicegroup_level4",“vsys_name”,“dvc_name”)
                    prefix(“.values.“)
                    delimiters(‘,’)
                    quote-pairs(‘“”’)
                    flags(escape-double-char)
                );
            };
            rewrite {
                r_set_splunk_dest_update_v2(
                    index(‘netauth’)
                    class(‘userid’)
                    sourcetype(‘pan:userid’)
                );
            };
        } elif (message(‘,GLOBALPROTECT,’ type(string) flags(substring))) {
            parser {
                csv-parser(
                    columns(“future_use1",“receive_time”,“serial_number”,“log_type”,“future_use2",“version”,“time_generated”,“vsys”,“event_id”,“stage”,“auth_method”,“tunnel_type”,“src_user”,“src_region”,“machine_name”,“public_ip”,“public_ipv6",“private_ip”,“private_ipv6",“host_id”,“serial_number”,“client_ver”,“client_os”,“client_os_ver”,“repeat_count”,“reason”,“error”,“opaque”,“status”,“location”,“login_duration”,“connect_method”,“error_code”,“portal”,“sequence_number”,“action_flags”,“event_time”,“selection_type”,“response_time”,“priority”,“attempted_gateways”,“gateway”,“devicegroup_level1",“devicegroup_level2”,“devicegroup_level3",“devicegroup_level4”,“vsys_name”,“dvc_name”,“vsys_id”)
                    prefix(“.values.“)
                    delimiters(‘,’)
                    quote-pairs(‘“”’)
                    flags(escape-double-char)
                );
            };
            rewrite {
                r_set_splunk_dest_update_v2(
                    index(‘netfw’)
                    class(‘globalprotect’)
                    sourcetype(‘pan:globalprotect’)
                );
            };
        } elif (message(‘,DECRYPTION,’ type(string) flags(substring))) {
            parser {
                csv-parser(
                    columns(“future_use1",“receive_time”,“serial_number”,“log_type”,“log_subtype”,“version”,“generated_time”,“src_ip”,“dest_ip”,“src_translated_ip”,“dest_translated_ip”,“rule”,“src_user”,“dest_user”,“app”,“vsys”,“src_zone”,“dest_zone”,“src_interface”,“dest_interface”,“log_forwarding_profile”,“start_time”,“session_id”,“repeat_count”,“src_port”,“dest_port”,“src_translated_port”,“dest_translated_port”,“flags”,“IP_PROTOCOL”,“action”,“tunnel_id”,“future_use2",“future_use3”,“src_vm_uuid”,“dest_vm_uuid”,“uuid_rule”,“stage_client_firewall”,“stage_firewall_client”,“tls_version”,“key_exchange_algorithm”,“encryption_algorithm”,“hash_algorithm”,“rule”,“elliptic_curve”,“error_index”,“root_status”,“chain_status”,“proxy_type”,“cert_serial_number”,“fingerprint”,“cert_start_time”,“cert_end_time”,“cert_version”,“cert_size”,“cn_length”,“issuer_cn_length”,“root_cn_length”,“sni_length”,“cert_flags”,“subject_cn”,“issuer_subject_cn”,“root_subject_cn”,“server_name”,“error”,“container_id”,“pod_namespace”,“pod_name”,“src_edl”,“dest_edl”,“src_dag”,“dest_dag”,“timestamp”,“src_dvc_category”,“src_dvc_profile”,“src_dvc_model”,“src_dvc_vendor”,“src_dvc_os”,“src_dvc_os_version”,“src_name”,“src_mac”,“dest_dvc_category”,“dest_dvc_profile”,“dest_dvc_model”,“dest_dvc_vendor”,“dest_dvc_os”,“dest_dvc_os_version”,“dest_name”,“dest_mac”,“sequence_number”,“action_flags”)
                    prefix(“.values.“)
                    delimiters(‘,’)
                    quote-pairs(‘“”’)
                    flags(escape-double-char)
                );
            };
            rewrite {
                r_set_splunk_dest_update_v2(
                    class(‘decryption’)
                    sourcetype(‘pan:decryption’)
                );
            };
        } elif (message(‘,AUTH,’ type(string) flags(substring))) {
            parser {
                csv-parser(
                    columns(“future_use1",“receive_time”,“serial_number”,“log_type”,“log_subtype”,“version”,“generated_time”,“vsys”,“src_ip”,“user”,“user_normalized”,“object”,“authentication_policy”,“repeast_count”,“authentication_id”,“pan_vendor”,“log_action”,“server_profile”,“description”,“client_type”,“event_type”,“factor_number”,“sequence_number”,“action_flags”,“device_group_hierarchy_1",“device_group_hierarchy_2”,“device_group_hierarchy_3",“device_group_hierarchy_4”,“vsys”,“dvc_name”,“vsys_id”,“authentication_protocol”,“rule”,“timestamp”,“src_host_category”,“src_host_profile”,“src_host_model”,“src_host_vendor”,“src_host_os_name”,“src_host_os_version”,“src_host”,“src_mac”,“region”,“future_use2”,“user_agent”,“session_id”,“cluster_name”)
                    prefix(“.values.“)
                    delimiters(‘,’)
                    quote-pairs(‘“”’)
                    flags(escape-double-char)
                );
            };
            rewrite {
                r_set_splunk_dest_update_v2(
                    index(‘netauth’)
                    class(‘authentication’)
                    sourcetype(‘pan:auth’)
                );
            };
        } else { };

        # Palo IETF (5424) event is entirely contained in $MESSAGE; for BSD format event needs to be constructed from
        # constituent parts.  LEGACY_MSGHDR is null in IETF so concatenation is a no-op (so no test is needed).

        parser {
            # Parse the date
            # 2012/04/10 04:39:55
            date-parser-nofilter(format(
                    ‘%Y/%m/%d %H:%M:%S.%f’,
                    ‘%Y/%m/%d %H:%M:%S’,
                    ‘%Y-%m-%dT%H:%M:%S.%f%z’,)
                    template(“${.values.generated_time}“)
            );
        };

        rewrite {
            set(“${.values.dvc_name}” value(“HOST”)
                condition( match(‘^.’ value(‘.values.dvc_name’) )) );
        };

   };
};
application app-syslog-pan_panos-pgm[sc4s-syslog-pgm] {
    filter {
        program(‘logforwarder’ type(string))
        ;
    };  
    parser { app-syslog-pan_panos(); };
};

application app-syslog-pan_panos[sc4s-syslog] {
    filter {
        “${PROGRAM}” eq “”
        and message(‘1,’ type(string) flags(prefix))
        and message(‘^1,[^,]+,[^,]+,[A-Z]+\,’)
        ;
    };  
    parser { app-syslog-pan_panos(); };
};
makal27 commented 9 months ago

This should fix Issue #2262 and #2083 as well

mstopa-splunk commented 8 months ago

@makal27 looks great, thank you! I will try to test and get it merged within this sprint

mstopa-splunk commented 8 months ago

@makal27 big thank you, this has been released in v.3.19.1