[Filebeat] Add HIP Match logs to Palo Alto Module #25686
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
botelastic
bot
added
the
needs_team
💚 Build Succeeded
Expand to view the summary
Build stats
Test stats 🧪
Trends 🧪💚 Flaky test reportTests succeeded. Expand to view the summary
Test stats 🧪
|
adriansr
added
backport-v7.14.0
|
Pinging @elastic/security-external-integrations (Team:Security-External Integrations) |
botelastic
bot
removed
the
needs_team
|
/test |
|
Found two more HIPMATCH samples, not a lot of those around: |
I will add those when I a chance |
|
@adriansr I added 1 of the new samples, the other's format was way off so I ignored it. |
|
This pull request is now in conflicts. Could you fix it? 🙏 |
legoguy1000
force-pushed
the
24350-palo-hipmatch
branch
from
837da68
to
1f875fa
Compare
|
This pull request is now in conflicts. Could you fix it? 🙏 |
legoguy1000
force-pushed
the
24350-palo-hipmatch
branch
from
1f875fa
to
15ff3ab
Compare
|
This pull request is now in conflicts. Could you fix it? 🙏 |
legoguy1000
force-pushed
the
24350-palo-hipmatch
branch
from
15ff3ab
to
867926b
Compare
|
This pull request is now in conflicts. Could you fix it? 🙏 |
legoguy1000
force-pushed
the
24350-palo-hipmatch
branch
from
867926b
to
422a10a
Compare
|
@adriansr This is ready for CI tests |
|
/test |
|
@adriansr looks GTG |
adriansr
suggested changes
May 20, 2021
| @@ -291,3 +291,43 @@ | |||
| type: keyword | |||
| description: > | |||
| The type of tunnel (either SSLVPN or IPSec). | |||
|
|
|||
| - name: connect_method | |||
There was a problem hiding this comment.
Can you add a default_field: false key to each of the new fields?
We forgot this for the previous filesets. This is done to avoid hitting the limit of ~10k default fields in the index template for filebeat indices.
There was a problem hiding this comment.
I updated just the fields I added in this and previous PR. Do you want me to do more??
Comment on lines
+218
to
+222
| panw.panos.selection_type: 37 | ||
| panw.panos.response_time: 38 | ||
| panw.panos.priority: 39 | ||
| panw.panos.attempted_gateways: 40 | ||
| panw.panos.gateway: 41 |
There was a problem hiding this comment.
So it's also extracting more fields for GLOBALPROTECT. Out of curiosity, are these documented? I don't see them in the docs.
I was worried that this could cause a failure if the array has less entries, but realized that the fail_on_error: false above will make this backwards compatible.
There was a problem hiding this comment.
I have to find where I found them because I didn't see them originally when I did the last PR but then I saw them
There was a problem hiding this comment.
Found it https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/globalprotect-log-fields.html this is the original link I used which didn't have those extra fields https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/globalprotect-log-fields/globalprotect-log-fields-for-pan-os-913-and-later-releases.html#id5795bd71-1dc5-4f82-872d-a9ba6cb7cedf
|
/test |
|
CI test failures addressed |
|
/test |
|
This pull request is now in conflicts. Could you fix it? 🙏 |
legoguy1000
force-pushed
the
24350-palo-hipmatch
branch
from
ecbb63b
to
2269f05
Compare
|
/test |
|
This pull request is now in conflicts. Could you fix it? 🙏 |
mergify bot
pushed a commit
that referenced
this pull request
May 26, 2021
Update panw.panos module to parse HIP Match logs. Also this updates the Global Protect parsing with additional fields per the updated docs, https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/globalprotect-log-fields.html (cherry picked from commit 3a81d81) # Conflicts: # filebeat/docs/fields.asciidoc # x-pack/filebeat/module/panw/fields.go # x-pack/filebeat/module/panw/panos/_meta/fields.yml # x-pack/filebeat/module/panw/panos/config/input.yml # x-pack/filebeat/module/panw/panos/ingest/pipeline.yml # x-pack/filebeat/module/panw/panos/ingest/userid.yml # x-pack/filebeat/module/panw/panos/manifest.yml # x-pack/filebeat/module/panw/panos/test/global_protect.log
💔 Build Failed
Expand to view the summary
Build stats
Trends 🧪Steps errors
Expand to view the steps failures
|
|
@adriansr can our documentation be updated to reflect support for the HIP Match logs and any other logs we've added recently (e.g. Global Protect). Our documentation currently lists Threat and Traffic logs as supported sources from PANW. https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-panw.html |
adriansr
pushed a commit
that referenced
this pull request
Jun 27, 2021
Update panw.panos module to parse HIP Match logs. Also this updates the Global Protect parsing with additional fields per the updated docs, https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/globalprotect-log-fields.html (cherry picked from commit 3a81d81)
adriansr
pushed a commit
that referenced
this pull request
Jun 28, 2021
Update panw.panos module to parse HIP Match logs. Also this updates the Global Protect parsing with additional fields per the updated docs, https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/globalprotect-log-fields.html (cherry picked from commit 3a81d81) Co-authored-by: Alex Resnick <adr8292@gmail.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What does this PR do?
Update
panw.panosmodule to parse HIP Match logs. Also this updates the Global Protect parsing with additional fields per the updated docs, https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/globalprotect-log-fields.htmlWhy is it important?
Adds additional log types from Palo Alto
Checklist
CHANGELOG.next.asciidocorCHANGELOG-developer.next.asciidoc.Author's Checklist
How to test this PR locally
Related issues
Use cases
Screenshots
Logs