-
Notifications
You must be signed in to change notification settings - Fork 4.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Filebeat] Palo Alto integration with User-ID #24722
Comments
Pinging @elastic/security-external-integrations (Team:Security-External Integrations) |
Hey @rdrgporto! Increased our Palo Alto event coverage is certainly something we'd like to do, including the User-ID logs. We currently have very limited sample data in order to add support to our module. Would you be able to share some sample User-ID events so we can review the format? Sanitised events are fine. |
Hi, @jamiehynds Here you are:
I configured Palo Alto (Version 9.1) in order to send logs via Syslog. I have a virtual machine which writes its information into a file (I had to configure Rsyslog). Logstash reads it and parse it. I used Palo Alto documentation in order to know fields name. Thanks 😃 , Rodrigo |
Created #24724 and added some info to https://discuss.elastic.co/t/palo-alto-integration-with-userid-siem-feature/268173/5 |
I can try to update the PanOS fileset to parse these logs. |
I've started a draft for this |
@rdrgporto Do you have more User ID logs examples. I looked here,https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClkACAS and the amount of fields don't seem to line up |
Hi, @legoguy1000 Here you are more User ID examples and my test Logstash pipeline configuration example: I have looked on Palo Alto documentation in order to figure out fields names: Palo Alto 9.1.3. Thanks in advance 😃 |
updated the PR with these logs and took some of your changes from the logstash pipeline you provided. |
Took PR out of draft |
Hi, everyone
I have been working with Palo Alto and Filebeat over several days. I have looked on Elastic documentation that it currently supports messages of Traffic and Threat types.
Is it considered to parsing User-ID type ? I would like to get it because it provides information about login and logouts of usernames.
Thanks in advance,
Rodrigo
The text was updated successfully, but these errors were encountered: