[Filebeat] Palo Alto integration with User-ID #24722
Comments
botelastic
bot
added
the
needs_team
|
Pinging @elastic/security-external-integrations (Team:Security-External Integrations) |
botelastic
bot
removed
the
needs_team
|
Hey @rdrgporto! Increased our Palo Alto event coverage is certainly something we'd like to do, including the User-ID logs. We currently have very limited sample data in order to add support to our module. Would you be able to share some sample User-ID events so we can review the format? Sanitised events are fine. |
|
Hi, @jamiehynds Here you are: I configured Palo Alto (Version 9.1) in order to send logs via Syslog. I have a virtual machine which writes its information into a file (I had to configure Rsyslog). Logstash reads it and parse it. I used Palo Alto documentation in order to know fields name. Thanks 😃 , Rodrigo |
|
Created #24724 and added some info to https://discuss.elastic.co/t/palo-alto-integration-with-userid-siem-feature/268173/5 |
|
I can try to update the PanOS fileset to parse these logs. |
|
I've started a draft for this |
|
@rdrgporto Do you have more User ID logs examples. I looked here,https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClkACAS and the amount of fields don't seem to line up |
|
Hi, @legoguy1000 Here you are more User ID examples and my test Logstash pipeline configuration example: I have looked on Palo Alto documentation in order to figure out fields names: Palo Alto 9.1.3. Thanks in advance 😃 |
|
updated the PR with these logs and took some of your changes from the logstash pipeline you provided. |
|
Took PR out of draft |
Hi, everyone
I have been working with Palo Alto and Filebeat over several days. I have looked on Elastic documentation that it currently supports messages of Traffic and Threat types.
Is it considered to parsing User-ID type ? I would like to get it because it provides information about login and logouts of usernames.
Thanks in advance,
Rodrigo
The text was updated successfully, but these errors were encountered: