Skip to content

paloalto FW

Description

  • Constructor : Palo Alto

  • Product : Fire wall

  • log types : Palo_Alto_FW

log sample

  • Palo_Alto_FW Traffic
1
1,2019/01/14 11:00:00,0009C101741,TRAFFIC,end,1,2019/01/14 11:00:00,196.100.3.2,10.33.241.200,10.82.74.163,10.33.241.200,12,,,google-base,vsys1,ZONE_BULLE_MEDIUM,RAIZ,ae2.2561,ae1.2517,All Traffic to Syslog SPE,2019/01/14 11:00:00,33708797,1,43490,8080,43490,8080,0x530850,tcp,allow,9541,2175,7366,31,2019/01/14 10:59:42,16,not-resolved,0,183717519023,0x0,KE,10.0.0.0-10.255.255.255,0,13,18,tcp-fin,0,0,0,0,vsys1,THSDC1IANFWL01P,from-policy
  • Palo_Alto_FW System
1
1,2019/01/14 11:36:39,0009C101741,SYSTEM,general,0,2019/01/14 11:36:39,,general,,0,0,general,critical,"Chassis Master Alarm: Cleared",94089,0x0,0,0,0,0,,THSDC1IANFWL01P

Parsing strategy

  • First of all, we use the csv operator in order to order the log (the right key with the right value) in an array.

  • Then, we can now normalize the fields

Fields normalization

  • Palo_Alto_FW Traffic
Normalized fields Parsed fields
[init][host][ip] [tmp][source_ip]
[init][host][nat][ip] [tmp][nat_source_ip]
[init][host][nat][port] [tmp][nat_source_port]
[init][host][port] [tmp][source_port]
[init][usr][name] [tmp][source user]
[target][host][ip] [tmp][destination_ip]
[target][host][nat][ip] [tmp][nat_destination_ip]
[target][host][nat][port] [tmp][nat_destination_port]
[target][host][port] [tmp][destination_port]
[target][usr][name] [tmp][destination user]
[app][proto][name] [tmp][protocol]
[app][name] [tmp][application]
[alarm][name] [tmp][session_end_reason]
[action] [tmp][action]
[rule]] [tmp][rule_name]
[type] "Firewall"
[session][id] [tmp][session_id]
[session][in][byte] [tmp][bytes_received]
[session][out][byte] [tmp][bytes_sent]
[session][in][packet] [tmp][packets_received]
[session][out][packet] [tmp][packets_sent]
[session][duration] [tmp][elapsed_time]
[paloalto][source_location] [tmp][source_location]
[paloalto][destination_location] [tmp][destination_location]
[paloalto][subtype] [tmp][content_type]
[paloalto][virtual_system] [tmp][virtual_system]
[paloalto][ingress_interface] [tmp][inbound_interface]
[paloalto][egress_interface] [tmp][outbound_interface]
[paloalto][source_zone] [tmp][source_zone]
[paloalto][destination_zone] [tmp][destination_zone]
[paloalto][repeat_count] [tmp][repeat_count]
[paloalto][category] [tmp][category]
[paloalto][type] [tmp][type]
[obs][ts] [tmp][generated_time]
[obs][host][name] [tmp][Device Name]
  • Palo_Alto_FW System

    Normalized fields Parsed fields
    [type] "firewall"
    [alarm][name] [tmp][description]
    [alarm][sev] [tmp][severity]
    [paloalto][subtype] [tmp][subtype]
    [paloalto][module] [tmp][module]
    [paloalto][object] [tmp][object]
    [paloalto][type] [tmp][type]
    [obs][ts] [tmp][source user]
    [obs][host][name] [tmp][Device Name]