Is there a way to modify the built-in Palo Alto TCP input to UDP? Sending PA traffic to a load balancer via TCP but since there’s only one session, it’s only sending to one Graylog node.
Hello & welcome.
I personall havent found a solution to modify a INPUT to accept a different protcol. There might be someone here that has. Can I ask why would you want to use UDP instead of TCP? I’m not fully understanding why you want to do that.
We send all our PA traffic to our load balancer via TCP so it distributes traffic across all Graylog nodes, but because there’s only one session between PA and our load balancer, it only sends traffic to one Graylog node, causing a huge backlog of messages to be processed by one node.
Notice the one active connection.
We have other UDP inputs from the load balancer, and those are getting distributed just fine.
Hello,
Thank you for the discription. Actually I havent see that before, Interesting. I havent hacked a Graylog Input yet, and I’m not sure how to go about it. Just a thought maybe you can copy the Palo Alto TCP input and try to reconfigure the copy to UDP?
Sorry I cant be more help
I’d like to give that a shot, I’m just not sure where the input is located.
Actually you have my interest in executing something like this. I might spin up a new graylog server and give it a try, but right now I have a lot to do.
Same here.
Since the PAN input is tied into the code of GL, you can’t change the protocol so easily.
What you could do:
Fire up a UDP syslog input, choose your port and use the extractors from this marketplace addon:
Otherwise you could rewrite the code and recompile it.
The source is located here:
Sascha
1 Like
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.