Before you post: Your responses to these questions will help the community help you. Please complete this template if you’re asking a support question. Don’t forget to select tags to help index your topic!
How to change the name of the fields where the logs are parsed in a palo alto
Hi everyone,
I’m having some problem with my Graylog Interface. Recently, i’ve configured my palo alto on my graylog to send his logs. As you know, in graylog, when you’re creating an input, some technologies are already incorpored, like Palo alto. So i choosed “Palo Alto Networks TCP (PAC-OS v9.x)” because my FW match with this version. So now, i have my logs, and they are already parsed. But the problem is that i want to change the name of the fields :
So as you can see, i would like to change the name “device_version” or “device_vendor” or “device_product” into something else, but i can’t find the option anywhere in graylog… I have to tell you, that i’ve installed my Graylog’s solution with a docker. If anyone has an idea, it would help me a lot in my project,
Thank you in advance
2. Describe your environment:
OS Information: Graylog 4.2.6
Package Version:
Service logs, configurations, and environment variables: Palo alto v9+
3. What steps have you already taken to try and solve the problem?
I’ve tried to see in the inputs, to change the name, i’ve google my problem but i can’t find a way to change the name of the filds…
You can handle this in a pipeline rule using the rename_field() function.
You could use the older version 8 input that allows you to customize fields but I couldn’t tell you what the difference between the two are other than what you would find in the docs. I wrote my own pipeline rules for incoming PaloAlto so that I had finer control - If you want to go that route, I can share some of the rules with you.
Thank you for you advices ! can you explain to me how to use a pipeline and use a function like the “rename_field” ? (i’m trying to understand the Graylog’s solution, but sometimes it’s kinda hard)
And yes, it would be very nice of you if you could share some of the rules with me, thank you again
I’ll try to apply your solution i hope it will work
The docs on pipelines are here. Create a pipeline, then create a rule in the pipeline that does what you want, then attach the pipeline to the stream. All messages in that stream will be processed through the rule in your pipeline before getting stored in the index at the end of the pipeline.
Your rule might look something like this:
rule "change field names"
when
has_field("device_product") &&
has_field("device_vendor")
then
rename_field("device_product","my_product_name");
rename_field("device_vendor","my_vendor_name");
end
On a side note, pipelines have stages, and generally speaking all rules within a singe stage run at the same time… meaning if in the future you have a rule that takes the results of another rule, you need to sequence them in separate stages.
I wrote up a long post about my PA setup here … its a little older but gets the idea across. There is more to the post thread if you read all around it…