Palo Alto Net-UID Palo Alto Networks GP Syslog Format PANW-USERID-Syslog Syslog Time Syslog Host user="$user",ip=" $ip" PANW-USERID true Dec 23 00:59:37 LW-SEC-PA200.lw.lab user=lw\admin,ip=10.160.42.160 filter { grok { match => { 'message' => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{HOSTNAME:syslog_hostName} user=%{DATA:source_user},ip=%{IPORHOST:source_ip}"} add_tag => [ "PANW-USERID" ] } if("PANW-USERID" in [tags]){ mutate { remove_field => ['@version','path','@message','message'] add_field => [ 'Event:Source-IP-Address', '%{source_ip}' ] add_field => [ 'Event:Username', '%{source_user}' ] add_field => [ 'Event:Pattern-Name', 'PANW-USERID' ] } ruby { code => " data = event.clone.to_hash; data.each do |k,v| if (!k.start_with?('Event:') and !k.start_with?('@')) newFieldName = 'Event:PANW-USERID:'+ k event[newFieldName] = v event.remove(k) end end tstamp = Time.now.to_i tstamp_str = Time.at(tstamp).strftime('%Y-%m-%d %H:%M:%S') event['Event:Timestamp'] = tstamp_str " } } }