Graylog_Content_Pack_PaloAltoNetworks icon indicating copy to clipboard operation
Graylog_Content_Pack_PaloAltoNetworks copied to clipboard

Published 20 hours ago verified publisher icon reighnman

Threat not Grokking

Open pmusolino-rms opened this issue 7 years ago • 1 comments

I am running 7.1

I was not able to get the threats split out and thus the dashboards were not working.

I found that there were a few optional fields in the pattern that were not marked as such. They were the RuleName fields and the Egress Interface fields. By adding (GROK)? I was able to get it to parse properly. %{IPORHOST:source} +:* *%{BASE10NUM:Domain},%{DATE_US2:LoggedDate} +%{TIME:LoggedTime},%{NOTCOMMA:SerialNumber},%{NOTCOMMA:Type},%{NOTCOMMA:Subtype},%{NOTCOMMA:ConfigVersion},%{DATE_US2:EventDate} +%{TIME:EventTime},%{IP:SourceIP},%{IP:DestinationIP},(%{IP:NATSourceIP})?,(%{IP:NATDestinationIP})?,(%{NOTCOMMA:RuleName})?,(%{NOTCOMMA:SourceUser})?,(%{NOTCOMMA:DestinationUser})?,(%{NOTCOMMA:Application})?,%{NOTCOMMA:VirtualSystem},%{NOTCOMMA:SourceZone},%{NOTCOMMA:DestinationZone},%{NOTCOMMA:IngressInterface},(%{NOTCOMMA:EgressInterface})?,%{NOTCOMMA:LogForwardingProfile},%{NOTCOMMA:UNWANTED},%{BASE10NUM:SessionID},%{BASE10NUM:RepeatCount},(%{BASE10NUM:SourcePort})?,(%{BASE10NUM:DestinationPort})?,(%{BASE10NUM:NATSourcePort})?,(%{BASE10NUM:NATDestinationPort})?,%{NOTCOMMA:Flags},%{NOTCOMMA:Protocol},%{NOTCOMMA:Action},%{QSORNC:Miscellaneous},%{NOTCOMMA:ThreatID},%{NOTCOMMA:Category},%{NOTCOMMA:Severity},%{NOTCOMMA:Direction},%{BASE10NUM:Sequence},%{NOTCOMMA:ActionFlags},(%{NOTCOMMA:SourceLocation})?,(%{NOTCOMMA:DestinationLocation})?.*

pmusolino-rms avatar Jun 21 '17 15:06 pmusolino-rms

Thanks for the patch! Working here on PANOS 7.1.14

jamesfed avatar May 02 '18 09:05 jamesfed