PaloAlto PaloAlto Network Threat Syslog Format PANW-Threat-Syslog-D <Syslog Priority>Syslog Time Syslog Host : FUTURE_USE, Receive Time, Serial Number, Type, Subtype, FUTURE_USE, Generated Time, Source IP, Destination IP, NAT Source IP, NAT Destination IP, Rule Name, Source User, Destination User, Application, Virtual System, Source Zone, Destination Zone, Ingress Interface, Egress Interface, Log Forwarding Profile, FUTURE_USE, Session ID, Repeat Count, Source Port, Destination Port, NAT Source Port, NAT Destination Port, Flags, Protocol, Action, Miscellaneous, Threat ID, Category, Severity, Direction, Sequence Number, Action Flags, Source Location, Destination Location, FUTURE_USE, Content Type PANW-Threat true <11>1 2016-07-29T17:31:33-05:00 PA01.internal.exebridge.com 1,2016 - - - 17:31:33,001801031451,THREAT,vulnerability,1,2016/07/29 17:31:33,10.1.20.11,199.181.133.61,75.148.241.193,199.181.133.61,Permit Outbound,exb\mcrook,,web-browsing,vsys1,L3_Trust,L3_Untrust,ae1,ethernet1/1,Alert Critical,2016/07/29 17:31:33,103143,1,55448,80,19347,80,0x80420000,tcp,reset-both,"results",Apache Wicket Unspecified XSS Vulnerability(36041),sports,critical,client-to-server,124975,0x0,RM Location 2,US,0,,1201889085355049529,,,1,,,,,,,,0,0,0,0,0,,PA01, filter { grok { match => {'message' => '<%{POSINT:syslog_priority}>%{POSINT:version}%{SPACE}%{TIMESTAMP_ISO8601:syslog_timestamp} %{HOSTNAME:syslog_hostName} %{DATA:identifier},%{DATA:year} %{DATA:future_use1a} %{DATA:future_use1b} %{DATA:future_use1c} %{GREEDYDATA:paloalto_message}'} add_tag => [ "PANW-Threat" ] } mutate { rename => ["paloalto_message", "message"] } csv { columns => ["ReceiveTime", "SerialNum", "Type", "Threat-ContentType", "ConfigVersion", "GenerateTime", "SourceAddress", "DestinationAddress", "NATSourceIP", "NATDestinationIP", "Rule", "SourceUser", "DestinationUser", "Application", "VirtualSystem", "SourceZone", "DestinationZone", "InboundInterface", "OutboundInterface", "LogAction", "TimeLogged", "SessionID", "RepeatCount", "SourcePort", "DestinationPort", "NATSourcePort", "NATDestinationPort" , "Flags", "IPprotocol", "Action", "URL", "Threat-ContentName", "Category", "Severity", "Direction", "seqno", "actionflags", "SourceCountry", "DestinationCountry", "cpadding", "ContentType", "pcap_id", "filedigest", "cloud", "data1", "data2", "data3", "data4", "data5", "data6", "data7","url_idx", "user_agent", "filetype", "xff", "referer", "sender", "subject", "recipient"] } date{ match => ["GenerateTime", "yyyy/MM/dd HH:mm:ss"] target => "GenerateTime" } date{ match => ["TimeLogged", "yyyy/MM/dd HH:mm:ss"] target => "TimeLogged" } if("PANW-Threat" in [tags]){ mutate { gsub => ["miscellaneous", "\"", ""] remove_field => ['@version','path','@message','message'] add_field => [ 'Event:Event-Name', '%{Type}' ] add_field => [ 'Event:Threat-Name', '%{Threat-ContentType}' ] add_field => [ 'Event:Source-IP-Address', '%{SourceAddress}' ] add_field => [ 'Event:Destination-IP-Address', '%{DestinationAddress}' ] add_field => [ 'Event:Timestamp', '%{syslog_timestamp}' ] add_field => [ 'Event:Username', '%{SourceUser}' ] add_field => [ 'Event:Pattern-Name', 'PANW-Threat' ] } ruby { code => " data = event.clone.to_hash; data.each do |k,v| if (!k.start_with?('Event:') and !k.start_with?('@')) newFieldName = 'Event:PANW-Threat:'+ k event[newFieldName] = v event.remove(k) end end tstamp = Time.now.to_i tstamp_str = Time.at(tstamp).strftime('%Y-%m-%d %H:%M:%S') event['Event:Timestamp'] = tstamp_str " } } }