[Filebeat] Add HIP Match logs to Palo Alto Module

[legoguy1000]

What does this PR do?

Update panw.panos module to parse HIP Match logs. Also this updates the Global Protect parsing with additional fields per the updated docs, https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/globalprotect-log-fields.html

Why is it important?

Adds additional log types from Palo Alto

Checklist

• My code follows the style guidelines of this project
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• I have made corresponding change to the default configuration files
• I have added tests that prove my fix is effective or that my feature works
• I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

Author's Checklist

• [ ]

How to test this PR locally

cd beats/x-pack/filebeat
TESTING_FILEBEAT_MODULES=panw TESTING_FILEBEAT_FILESETS=panos mage -v pythonIntegTest

Related issues

• Closes Extend PANW/panos module with globalprotect and hipmatch datasets #24350

Use cases

Screenshots

Logs

[elasticmachine]

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS

Expand to view the summary

Build stats

• Build Cause: adriansr commented: /test

• Start Time: 2021-05-26T07:45:43.717+0000

• Duration: 107 min 20 sec

• Commit: 2269f05

Test stats 🧪

Test	Results
Failed	0
Passed	13887
Skipped	2292
Total	16179

Trends 🧪

💚 Flaky test report

Tests succeeded.

Expand to view the summary

Test stats 🧪

Test	Results
Failed	0
Passed	13887
Skipped	2292
Total	16179

[elasticmachine]

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

[adriansr]

/test

[adriansr]

Found two more HIPMATCH samples, not a lot of those around:

Oct 09 10:20:15 SumoRedfw01a.sumotest.com 1,2019/10/09 10:20:15,001234567890002,HIPMATCH,0,2304,2019/10/09 10:20:15,ira,vsys1,oh-C02ABCDEFGH4,Mac,67.240.185.235,GP-HIP-PROFILE,1,profile,0,0,0123456789,0x0,0,0,0,0,,SumoRedfw01a,1,0.0.0.0,gh:85:90:99:5a:40,C02ABCDEFGH
Apr 4 22:23:52 panorama.domain 1,2018/04/04 22:23:52,FirewallSerialNumber,749593939,0x8000000000000000,HIPMATCH,0,508,2018/04/04 22:23:50,19,398,0,0,,firewall.name,1,domain\user,vsys1,hostname,8.8.8.8,HIP-PROFILE-RULE,1,Mac,profile,0,0,0.0.0.0

[legoguy1000]

Found two more HIPMATCH samples, not a lot of those around:

Oct 09 10:20:15 SumoRedfw01a.sumotest.com 1,2019/10/09 10:20:15,001234567890002,HIPMATCH,0,2304,2019/10/09 10:20:15,ira,vsys1,oh-C02ABCDEFGH4,Mac,67.240.185.235,GP-HIP-PROFILE,1,profile,0,0,0123456789,0x0,0,0,0,0,,SumoRedfw01a,1,0.0.0.0,gh:85:90:99:5a:40,C02ABCDEFGH
Apr 4 22:23:52 panorama.domain 1,2018/04/04 22:23:52,FirewallSerialNumber,749593939,0x8000000000000000,HIPMATCH,0,508,2018/04/04 22:23:50,19,398,0,0,,firewall.name,1,domain\user,vsys1,hostname,8.8.8.8,HIP-PROFILE-RULE,1,Mac,profile,0,0,0.0.0.0

I will add those when I a chance

[legoguy1000]

@adriansr I added 1 of the new samples, the other's format was way off so I ignored it.

[mergify]

This pull request is now in conflicts. Could you fix it? 🙏
To fixup this pull request, you can check out it locally. See documentation: https://help.github.com/articles/checking-out-pull-requests-locally/

git fetch upstream
git checkout -b 24350-palo-hipmatch upstream/24350-palo-hipmatch
git merge upstream/master
git push upstream 24350-palo-hipmatch

[mergify]

This pull request is now in conflicts. Could you fix it? 🙏
To fixup this pull request, you can check out it locally. See documentation: https://help.github.com/articles/checking-out-pull-requests-locally/

git fetch upstream
git checkout -b 24350-palo-hipmatch upstream/24350-palo-hipmatch
git merge upstream/master
git push upstream 24350-palo-hipmatch

[mergify]

This pull request is now in conflicts. Could you fix it? 🙏
To fixup this pull request, you can check out it locally. See documentation: https://help.github.com/articles/checking-out-pull-requests-locally/

git fetch upstream
git checkout -b 24350-palo-hipmatch upstream/24350-palo-hipmatch
git merge upstream/master
git push upstream 24350-palo-hipmatch

[mergify]

This pull request is now in conflicts. Could you fix it? 🙏
To fixup this pull request, you can check out it locally. See documentation: https://help.github.com/articles/checking-out-pull-requests-locally/

git fetch upstream
git checkout -b 24350-palo-hipmatch upstream/24350-palo-hipmatch
git merge upstream/master
git push upstream 24350-palo-hipmatch

[legoguy1000]

@adriansr This is ready for CI tests

[adriansr]

/test

[legoguy1000]

@adriansr looks GTG

[adriansr]

Looks good, just a change for the fields.yml and a question about Globalprotect.

[adriansr]

Can you add a default_field: false key to each of the new fields?

We forgot this for the previous filesets. This is done to avoid hitting the limit of ~10k default fields in the index template for filebeat indices.

[legoguy1000]

Can do

[legoguy1000]

I updated just the fields I added in this and previous PR. Do you want me to do more??

[adriansr]

So it's also extracting more fields for GLOBALPROTECT. Out of curiosity, are these documented? I don't see them in the docs.

I was worried that this could cause a failure if the array has less entries, but realized that the fail_on_error: false above will make this backwards compatible.

[legoguy1000]

I have to find where I found them because I didn't see them originally when I did the last PR but then I saw them

[legoguy1000]

Found it https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/globalprotect-log-fields.html this is the original link I used which didn't have those extra fields https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/globalprotect-log-fields/globalprotect-log-fields-for-pan-os-913-and-later-releases.html#id5795bd71-1dc5-4f82-872d-a9ba6cb7cedf

[adriansr]

/test

[legoguy1000]

CI test failures addressed

[adriansr]

/test

[mergify]

This pull request is now in conflicts. Could you fix it? 🙏
To fixup this pull request, you can check out it locally. See documentation: https://help.github.com/articles/checking-out-pull-requests-locally/

git fetch upstream
git checkout -b 24350-palo-hipmatch upstream/24350-palo-hipmatch
git merge upstream/master
git push upstream 24350-palo-hipmatch

[adriansr]

LGTM

[adriansr]

/test

[mergify]

This pull request is now in conflicts. Could you fix it? 🙏
To fixup this pull request, you can check out it locally. See documentation: https://help.github.com/articles/checking-out-pull-requests-locally/

git fetch upstream
git checkout -b 24350-palo-hipmatch upstream/24350-palo-hipmatch
git merge upstream/master
git push upstream 24350-palo-hipmatch

[elasticmachine]

💔 Build Failed

the below badges are clickable and redirect to their specific view in the CI or DOCS

Expand to view the summary

Build stats

• Build Cause: Pull request #25686 updated

• Start Time: 2021-05-26T10:09:56.013+0000

• Duration: 2 min 5 sec

• Commit: 5af50e2

Trends 🧪

Steps errors

Expand to view the steps failures

Git fetch

• Took 0 min 1 sec . View more details on here
• Description: git fetch https://${GIT_USERNAME}:${GIT_PASSWORD}@github.com/elastic/beats.git +refs/pull/*/head:refs/remotes/origin/pr/* > fetch.log 2>&1

Archive the artifacts

• Took 0 min 1 sec . View more details on here
• Description: fetch.log

Log output

Expand to view the last 100 lines of log output

[2021-05-26T10:09:58.402Z]  > git config --get remote.origin.url # timeout=10
[2021-05-26T10:09:58.408Z] using GIT_SSH to set credentials GitHub user @elasticmachine SSH key
[2021-05-26T10:09:58.415Z]  > git fetch --tags --progress -- origin +refs/heads/*:refs/remotes/origin/* # timeout=10
[2021-05-26T10:09:59.103Z]  > git rev-parse current^{commit} # timeout=10
[2021-05-26T10:09:59.109Z]  > git branch -a -v --no-abbrev --contains 338418b47db64d2f76791e31a598d28cc38d49fc # timeout=10
[2021-05-26T10:09:59.139Z] Selected match: dependabot/maven/com.github.tomakehurst-wiremock-jre8-2.28.0 revision 338418b47db64d2f76791e31a598d28cc38d49fc
[2021-05-26T10:09:59.140Z] The recommended git tool is: git
[2021-05-26T10:09:59.140Z] using credential f6c7695a-671e-4f4f-a331-acdce44ff9ba
[2021-05-26T10:09:59.146Z]  > git rev-parse --resolve-git-dir /var/lib/jenkins/workspace/Beats_beats_PR-25686@libs/apm/.git # timeout=10
[2021-05-26T10:09:59.151Z] Fetching changes from the remote Git repository
[2021-05-26T10:09:59.151Z]  > git config remote.origin.url git@github.com:elastic/apm-pipeline-library.git # timeout=10
[2021-05-26T10:09:59.157Z] Fetching without tags
[2021-05-26T10:09:59.157Z] Fetching upstream changes from git@github.com:elastic/apm-pipeline-library.git
[2021-05-26T10:09:59.157Z]  > git --version # timeout=10
[2021-05-26T10:09:59.162Z]  > git --version # 'git version 2.17.1'
[2021-05-26T10:09:59.162Z] using GIT_SSH to set credentials GitHub user @elasticmachine SSH key
[2021-05-26T10:09:59.167Z]  > git fetch --no-tags --progress -- git@github.com:elastic/apm-pipeline-library.git +refs/heads/*:refs/remotes/origin/* # timeout=10
[2021-05-26T10:09:59.861Z] Checking out Revision 338418b47db64d2f76791e31a598d28cc38d49fc (dependabot/maven/com.github.tomakehurst-wiremock-jre8-2.28.0)
[2021-05-26T10:09:59.861Z]  > git config core.sparsecheckout # timeout=10
[2021-05-26T10:09:59.866Z]  > git checkout -f 338418b47db64d2f76791e31a598d28cc38d49fc # timeout=10
[2021-05-26T10:09:59.882Z] Commit message: "[maven-release-plugin] prepare release v1.1.216"
[2021-05-26T10:10:00.655Z] Excluding src/test/ from checkout of git git@github.com:elastic/apm-pipeline-library.git so that shared library test code cannot be accessed by Pipelines.
[2021-05-26T10:10:00.655Z] To remove this log message, move the test code outside of src/. To restore the previous behavior that allowed access to files in src/test/, pass -Dorg.jenkinsci.plugins.workflow.libs.SCMSourceRetriever.INCLUDE_SRC_TEST_IN_LIBRARIES=true to the java command used to start Jenkins.
[2021-05-26T10:10:16.909Z] Still waiting to schedule task
[2021-05-26T10:10:16.910Z] All nodes of label ‘ubuntu-18&&immutable’ are offline
[2021-05-26T10:11:03.107Z] Running on beats-ci-immutable-ubuntu-1804-1622023803857897701 in /var/lib/jenkins/workspace/Beats_beats_PR-25686
[2021-05-26T10:11:03.240Z] �[39;49m[INFO] Override default checkout�[0m
[2021-05-26T10:11:03.305Z] Sleeping for 10 sec
[2021-05-26T10:11:13.480Z] The recommended git tool is: git
[2021-05-26T10:11:18.121Z] using credential f6c7695a-671e-4f4f-a331-acdce44ff9ba
[2021-05-26T10:11:18.126Z] Wiping out workspace first.
[2021-05-26T10:11:18.196Z] Cloning the remote Git repository
[2021-05-26T10:11:18.196Z] Using shallow clone with depth 10
[2021-05-26T10:11:18.196Z] Avoid fetching tags
[2021-05-26T10:11:18.261Z] Cloning repository git@github.com:elastic/beats.git
[2021-05-26T10:11:18.305Z]  > git init /var/lib/jenkins/workspace/Beats_beats_PR-25686 # timeout=10
[2021-05-26T10:11:18.424Z] Fetching upstream changes from git@github.com:elastic/beats.git
[2021-05-26T10:11:18.424Z]  > git --version # timeout=10
[2021-05-26T10:11:18.429Z]  > git --version # 'git version 2.17.1'
[2021-05-26T10:11:18.429Z] using GIT_SSH to set credentials GitHub user @elasticmachine SSH key
[2021-05-26T10:11:18.456Z]  > git fetch --no-tags --progress -- git@github.com:elastic/beats.git +refs/heads/*:refs/remotes/origin/* # timeout=15
[2021-05-26T10:11:39.534Z] Cleaning workspace
[2021-05-26T10:11:39.547Z] Using shallow fetch with depth 10
[2021-05-26T10:11:39.547Z] Pruning obsolete local branches
[2021-05-26T10:11:39.518Z]  > git config remote.origin.url git@github.com:elastic/beats.git # timeout=10
[2021-05-26T10:11:39.523Z]  > git config --add remote.origin.fetch +refs/heads/*:refs/remotes/origin/* # timeout=10
[2021-05-26T10:11:39.530Z]  > git config remote.origin.url git@github.com:elastic/beats.git # timeout=10
[2021-05-26T10:11:39.536Z]  > git rev-parse --verify HEAD # timeout=10
[2021-05-26T10:11:39.540Z] No valid HEAD. Skipping the resetting
[2021-05-26T10:11:39.540Z]  > git clean -fdx # timeout=10
[2021-05-26T10:11:39.553Z] Fetching upstream changes from git@github.com:elastic/beats.git
[2021-05-26T10:11:39.553Z] using GIT_SSH to set credentials GitHub user @elasticmachine SSH key
[2021-05-26T10:11:39.560Z]  > git fetch --no-tags --progress --prune -- git@github.com:elastic/beats.git +refs/pull/25686/head:refs/remotes/origin/PR-25686 +refs/heads/master:refs/remotes/origin/master # timeout=15
[2021-05-26T10:11:40.687Z] Merging remotes/origin/master commit 4065dfdd0b76649e2a6cf046416db0db10abdd6d into PR head commit 5af50e299efdf7e5a908f0aeeb2375ab0ce82f90
[2021-05-26T10:11:40.694Z]  > git config core.sparsecheckout # timeout=10
[2021-05-26T10:11:40.698Z]  > git checkout -f 5af50e299efdf7e5a908f0aeeb2375ab0ce82f90 # timeout=15
[2021-05-26T10:11:42.305Z] Merge succeeded, producing 5af50e299efdf7e5a908f0aeeb2375ab0ce82f90
[2021-05-26T10:11:42.305Z] Checking out Revision 5af50e299efdf7e5a908f0aeeb2375ab0ce82f90 (PR-25686)
[2021-05-26T10:11:42.278Z]  > git remote # timeout=10
[2021-05-26T10:11:42.282Z]  > git config --get remote.origin.url # timeout=10
[2021-05-26T10:11:42.285Z] using GIT_SSH to set credentials GitHub user @elasticmachine SSH key
[2021-05-26T10:11:42.288Z]  > git merge 4065dfdd0b76649e2a6cf046416db0db10abdd6d # timeout=10
[2021-05-26T10:11:42.299Z]  > git rev-parse HEAD^{commit} # timeout=10
[2021-05-26T10:11:42.308Z]  > git config core.sparsecheckout # timeout=10
[2021-05-26T10:11:42.311Z]  > git checkout -f 5af50e299efdf7e5a908f0aeeb2375ab0ce82f90 # timeout=15
[2021-05-26T10:11:47.139Z] Commit message: "Merge branch 'master' into 24350-palo-hipmatch"
[2021-05-26T10:11:47.148Z] First time build. Skipping changelog.
[2021-05-26T10:11:47.148Z] Cleaning workspace
[2021-05-26T10:11:47.649Z] Timeout set to expire in 3 hr 0 min
[2021-05-26T10:11:47.660Z] The timestamps step is unnecessary when timestamps are enabled for all Pipeline builds.
[2021-05-26T10:11:47.814Z] [INFO] Number of builds to be searched 10
[2021-05-26T10:11:48.445Z] [INFO] 'shallow' is forced to be disabled when running on PullRequests
[2021-05-26T10:11:48.456Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-25686@tmp
[2021-05-26T10:11:48.468Z] [INFO] gitCheckout: Checkout SCM PR-25686 with default customisation from the Item.
[2021-05-26T10:11:48.490Z] [INFO] Override default checkout
[2021-05-26T10:11:48.523Z] Sleeping for 10 sec
[2021-05-26T10:11:47.143Z]  > git rev-list --no-walk 4f7a03ed81a7afbce52d5062ce2e350dc2ea5c21 # timeout=10
[2021-05-26T10:11:47.150Z]  > git rev-parse --verify HEAD # timeout=10
[2021-05-26T10:11:47.154Z] Resetting working tree
[2021-05-26T10:11:47.154Z]  > git reset --hard # timeout=10
[2021-05-26T10:11:47.484Z]  > git clean -fdx # timeout=10
[2021-05-26T10:11:58.755Z] Masking supported pattern matches of $GIT_USERNAME or $GIT_PASSWORD
[2021-05-26T10:11:59.417Z] + git fetch https://****:****@github.com/elastic/beats.git +refs/pull/*/head:refs/remotes/origin/pr/*
[2021-05-26T10:11:59.551Z] [WARN] gitCmd failed, further details in the archived file 'fetch.log'
[2021-05-26T10:11:59.671Z] Archiving artifacts
[2021-05-26T10:12:00.457Z] Stage "Lint" skipped due to earlier failure(s)
[2021-05-26T10:12:00.484Z] Stage "Build&Test" skipped due to earlier failure(s)
[2021-05-26T10:12:00.511Z] Stage "Extended" skipped due to earlier failure(s)
[2021-05-26T10:12:00.539Z] Stage "Packaging" skipped due to earlier failure(s)
[2021-05-26T10:12:00.565Z] Stage "Packaging-Pipeline" skipped due to earlier failure(s)
[2021-05-26T10:12:00.609Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-25686/src/github.com/elastic/beats
[2021-05-26T10:12:00.913Z] Running on Jenkins in /var/lib/jenkins/workspace/Beats_beats_PR-25686
[2021-05-26T10:12:01.000Z] [INFO] getVaultSecret: Getting secrets
[2021-05-26T10:12:01.036Z] Masking supported pattern matches of $VAULT_ADDR or $VAULT_ROLE_ID or $VAULT_SECRET_ID
[2021-05-26T10:12:01.754Z] + chmod 755 generate-build-data.sh
[2021-05-26T10:12:01.754Z] + ./generate-build-data.sh https://beats-ci.elastic.co/blue/rest/organizations/jenkins/pipelines/Beats/beats/PR-25686/ https://beats-ci.elastic.co/blue/rest/organizations/jenkins/pipelines/Beats/beats/PR-25686/runs/16 FAILURE 125481
[2021-05-26T10:12:01.754Z] INFO: curl https://beats-ci.elastic.co/blue/rest/organizations/jenkins/pipelines/Beats/beats/PR-25686/runs/16/steps/?limit=10000 -o steps-info.json
[2021-05-26T10:12:01.754Z] INFO: curl https://beats-ci.elastic.co/blue/rest/organizations/jenkins/pipelines/Beats/beats/PR-25686/runs/16/tests/?status=FAILED -o tests-errors.json
[2021-05-26T10:12:01.754Z] Retry 1/3 exited 22, retrying in 1 seconds...
[2021-05-26T10:12:03.097Z] Retry 2/3 exited 22, retrying in 2 seconds...

❕ Flaky test report

No test was executed to be analysed.

[jamiehynds]

@adriansr can our documentation be updated to reflect support for the HIP Match logs and any other logs we've added recently (e.g. Global Protect).

Our documentation currently lists Threat and Traffic logs as supported sources from PANW. https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-panw.html