FW Palo alto Logs

hello everyone,
Please can anyone help me, the logs received from palo alto firewall are misinterpreted because FW Palo does not respect the same RFC as Graylog…I want the Firewall palo alto logs to be readable and normalized.
Thanks for answering me.

There are add-ins that people have created in the Marketplace

Marketplace Search on ‘Palo’

You can use GROK either in an extractor or in the pipeline to pull out the field information you want. There are lots of ideas for doing that if you search through community help and the Marketplace.

1 Like

Thank you for the answer. @tmacgbay I am blocked for creating GROK PATTERN for Palo alto firewall logs :worried::pensive: …in case of cisco switch I receive this error

Must… give… more… information…

I don’t know what this is:


and so I guess I can assume you have no idea what GROK is??

You need to find out what GROK is and build something to parse out EACH field you want.

find an explanation with Google and maybe play around in an online GROK tester for a while?

I want to normalize the logs , mostly in case of Palo alto logs , the palo alto firewall logs in graylog are unreadable
you’re right I do not have an idea on Grok !

this one Grok pattern

is in the case of a switch cisco

I pointed you to the Marketplace in the above post and even trimmed it to just show content associated with Palo-Alto… if you pull one of those down they have GROK patterns (or other extractors) that are specific to Palo Alto and even if those don’t work you can modify them to your needs… it may not even be a GROK extractor, perhaps you want “split and index” based off comma’s… Experiment a bit, take a look at what others have written…

maybe the integration solution can help you?


1 Like

HI @jan Thanks for your feedback, I will see, note that I’m using graylog 2.5 open source version

for the palo alto firewall log message

for the purpose of making this logs normalize: i create a Grok patterns

why grok can not be save ?

it might contain a non-valid term … that is the only reason

1 Like

no, I don’t think so , I tested it

@jan just to give you an example ( grok-patterns)
CISCOMAC (?:(?:[A-Fa-f0-9]{4}.){2}[A-Fa-f0-9]{4})

Graylog returns " Savig Grok pattern “CISCOMAC” failed with status cannot POST http://@IP of graylog/api/system/grok (400)"

that might be an issue in the lib that is used for that. But in the latest release we have worked on that. So no “bug fix” in your version - but in Graylog 3 I was able to save:

@jan please in my case , in my workspace, graylog 2.5 and I collect the logs of several device … if I migrate to version 3 of graylog 3, that will not be a config problem

I see that you have 2.5 - but as I say, this might be a bug in the lib that is used in your graylog version.

The Version 3.0 has improved version of that lib and does not have the issue - so the fix: update your graylog.

my os : Centos 7. if I migrate to graylog 3. I take off again…I’m setting up again ??

I do not get your question.

if I migrate graylog 2.5 ==> Graylog 3, i remake the entire installation ?

no, you can upgrade - please read the docs and return with question if any left.



1 Like