Hello everyone ,
I collected the palo alto pan os 8.01 firewall logs with graylog 2.5 I used a content pack found in graylog market place to normalize the logs (have clear logs, pre-configurable dashboards, it works), Now I use graylog 3.2 .1, to collect logs from the same firewall, the contetn pack does not work
Please help.
the link of json file (content pack, in graylogmarketpalce)
It’s not able to directly import to newer version, but with simple edit, I modified at least extractors to newer version:
If you want to follow original content pack:
Syslog UDP Input in System - Inputs - Launch new input with parameters: Title: Palo Alto, Port: 10001
System - Inputs - Palo Alto - click Manage extractors - click Actions in top right corner and select Import extractors and paste text from parstebin.thanks so much @shoothub it works now I see the logs very clear , but on last graylog with this content pack https://marketplace.graylog.org/addons/8f766c1d-d894-4c71-9e67-6a79328a5289
I have preconfigured los dashboards (country sources, rules by destinations, interfaces …)
It’s not problem to create dasboard manually, check old content pack (json file) and find section dashboard, there are dashboard and widget configuration.
Or you can use content pack, that I created for you (contains input, stream, dashboard) from original.
thanks a lot @shoothub , I can install the content pack, the file json is work , but the dashboards are empty 
Widgets from dashboard uses data from Stream, update stream rule for Palo Alto Traffic to and change source = match exacly = Panorama-1, to your desired source or another condition.
No, you have to edit stream rule already included in content pack:
Streams - Palo Alto Traffic - click Manage rules scroll to bottom of page, and click on edit icon (next to trach icon), and change Value Panorama-1 to your real device hosname (from field source)
quick guess - Check each widget on your dashboard and make sure they are looking at the correct stream
@tmacgbay it doesn’t work for me, I can create dashboards but I cannot save them, the dashboards are empty with content pack ( Top Destination , Top URL Categories, Top firewall Rules , top Applications , top firewall Actions…) @shoothub
Please check, if your stream contains data, if not you have defined wrong condition (change value to your hostname of Palo Alto device).
You can also create own dashboard manually if not working, is so simple:
Palo Alto Traffic contains data. (you can’t see older data before you create stream).destination_country. Click on it and select “Show top values” (3.2 uses probably another name, i don’t remember, because I use 3.3). Double click on title of widget and name it. Continue with all other widgets, you want to create:Create icon on right menu and select Message count widgetExport to dashboard, click Save as
Done
Hi @shoothub
thank you for your support, I can already collect the logs of FW palo alto, and I can create dashboards, but I want the created dashboards to be displayed in the external “Search” page on message count, … for the dashboards of your content pack, in setup 2
yet I can collect the logs from palo, in any case thank you very much for your help, it is very kind of you,
also, for the fields, created on the log table, each time I add the concerned fields (add to all tables), why, they will not be recorded
Your stream probably doesn’t contain any data. Check your stream condition. If you want to put all messages from palo alto firewall to stream, you can create static field in System - Inputs - click More actions - Add static field, for example Field name: paloalto, Field value: 1. Then use this field in Palo alto stream condition.
It’s not necessary to use stream for dashboard, you can also use another search condition, that will extract palo alto logs and then create dashboard.
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.
