Log normalization

hello everyone ,

Please I am stuck in the “log normalization” step , logs of firewall Palo alto , I read on the documentation of graylog, to standardize the logs one uses “extractor” . : Copy input, Grok pattern, Json, Regular expression, repleace with regular expression, Split & Index, Substring, Lookup Table …what is the most suitable method with graylog to normalize the logs


For Palo Alto I’d recommend a Grok pattern, but regex and split&index also would work…

There are some content pack options in the Marketplace you might be able to look at too such as https://marketplace.graylog.org/addons/f9facfdf-3d3d-423d-9bd0-4fba9db407ff (search the marketplace for more options), but keep in mind that depending on the version of PAN, some of these might not work. Additinoally, the creator of the content pack may not normalize to the field names you want so that might need adjusting.

1 Like

Hi @megan201296 thank you for your reply., Grok pattern " Grok" ? please “grok” what does that mean, exactly? in my case how can I configure it according to my equipment Palo alto A 820 ,

You can also find grok pattern testes/debuggers.

@macko003 I have already searched, thank you for your great efforts… thanks God because there are people like you @macko003

I import content pack options in the Marketplace

Now in Inputs : i have PAN-syslog Syslog TCP i changed his port , to 1514, it’s his default port

but I have not received any logs yet, maybe i keep his default port, and reconfigure the palo alto to send in tcp and the Pan syslog port ??
Please help please

hello everone, please I import content pack Palo Alto Networks Content Pack, i use Graylog 2.5, my firewall palo Alto A820, Pan 8,0.9. this pack it is adequate with graylog 2.5 ??

Now , i import this pack

but the logs remain of the same form as before, the dhasbords for me are empty, the content is empty

yes i did it :heart_eyes::heart_eyes: I did the normalization of alto palo logs, now, I have the standardized alto palo logs

@macko003 yes i did it :sweat_smile::sweat_smile: I did the normalization of my FW palo alto logs, now, I have the standardized palo alto logs with graylog 2.5…
the logs are not like before, now they are very clear

what can do some time what you spend with testing and searching.

I think this project not more than few hours with work. You opened this topic 7 days before.

@macko003 Maybe you’re right but it’s not nice of you, for the work I don’t have only Graylog…and for a beginner like me it’s not bad … in any case thank you

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.