paloalto FW
Description¶
-
Constructor : Palo Alto
-
Product : Fire wall
-
log types : Palo_Alto_FW
log sample¶
- Palo_Alto_FW Traffic
1 | 1,2019/01/14 11:00:00,0009C101741,TRAFFIC,end,1,2019/01/14 11:00:00,196.100.3.2,10.33.241.200,10.82.74.163,10.33.241.200,12,,,google-base,vsys1,ZONE_BULLE_MEDIUM,RAIZ,ae2.2561,ae1.2517,All Traffic to Syslog SPE,2019/01/14 11:00:00,33708797,1,43490,8080,43490,8080,0x530850,tcp,allow,9541,2175,7366,31,2019/01/14 10:59:42,16,not-resolved,0,183717519023,0x0,KE,10.0.0.0-10.255.255.255,0,13,18,tcp-fin,0,0,0,0,vsys1,THSDC1IANFWL01P,from-policy |
- Palo_Alto_FW System
1 | 1,2019/01/14 11:36:39,0009C101741,SYSTEM,general,0,2019/01/14 11:36:39,,general,,0,0,general,critical,"Chassis Master Alarm: Cleared",94089,0x0,0,0,0,0,,THSDC1IANFWL01P |
Parsing strategy¶
-
First of all, we use the csv operator in order to order the log (the right key with the right value) in an array.
-
Then, we can now normalize the fields
Fields normalization¶
- Palo_Alto_FW Traffic
| Normalized fields | Parsed fields |
|---|---|
| [init][host][ip] | [tmp][source_ip] |
| [init][host][nat][ip] | [tmp][nat_source_ip] |
| [init][host][nat][port] | [tmp][nat_source_port] |
| [init][host][port] | [tmp][source_port] |
| [init][usr][name] | [tmp][source user] |
| [target][host][ip] | [tmp][destination_ip] |
| [target][host][nat][ip] | [tmp][nat_destination_ip] |
| [target][host][nat][port] | [tmp][nat_destination_port] |
| [target][host][port] | [tmp][destination_port] |
| [target][usr][name] | [tmp][destination user] |
| [app][proto][name] | [tmp][protocol] |
| [app][name] | [tmp][application] |
| [alarm][name] | [tmp][session_end_reason] |
| [action] | [tmp][action] |
| [rule]] | [tmp][rule_name] |
| [type] | "Firewall" |
| [session][id] | [tmp][session_id] |
| [session][in][byte] | [tmp][bytes_received] |
| [session][out][byte] | [tmp][bytes_sent] |
| [session][in][packet] | [tmp][packets_received] |
| [session][out][packet] | [tmp][packets_sent] |
| [session][duration] | [tmp][elapsed_time] |
| [paloalto][source_location] | [tmp][source_location] |
| [paloalto][destination_location] | [tmp][destination_location] |
| [paloalto][subtype] | [tmp][content_type] |
| [paloalto][virtual_system] | [tmp][virtual_system] |
| [paloalto][ingress_interface] | [tmp][inbound_interface] |
| [paloalto][egress_interface] | [tmp][outbound_interface] |
| [paloalto][source_zone] | [tmp][source_zone] |
| [paloalto][destination_zone] | [tmp][destination_zone] |
| [paloalto][repeat_count] | [tmp][repeat_count] |
| [paloalto][category] | [tmp][category] |
| [paloalto][type] | [tmp][type] |
| [obs][ts] | [tmp][generated_time] |
| [obs][host][name] | [tmp][Device Name] |
-
Palo_Alto_FW System
Normalized fields Parsed fields [type] "firewall" [alarm][name] [tmp][description] [alarm][sev] [tmp][severity] [paloalto][subtype] [tmp][subtype] [paloalto][module] [tmp][module] [paloalto][object] [tmp][object] [paloalto][type] [tmp][type] [obs][ts] [tmp][source user] [obs][host][name] [tmp][Device Name]