Not reading threat input from Palo Alto

Howdy,

I’ve been working on manually setting up our Palo Alto inputs since all of the marketplace addons are using a newer version of Palo Alto than what we have set up.

The input is working on all of the TRAFFIC and SYSTEM logs being sent, but for some reason THREAT logs are not being saved at all.

I ran a packet capture on our graylog device and its receiving threat logs without issue. The following block is taken from following the TCP stream in Wireshark:

710 <14>1 2019-10-07T16:17:01-05:00 DEVICENAME - - - - 1,2019/10/07 16:17:01,001606066092,THREAT,url,1,2019/10/07 16:17:01,IPADRESS,IPADDRESS,IPADDRESS,IPADDRESS,RULENAME,USERNAME,google-base,vsys1,trust,untrust,ethernet1/2,ethernet1/1,Graylog,2019/10/07 16:17:01,26664,1,64720,443,65224,443,0x1403000,tcp,block-url,“pagead2.googlesyndication.com/pagead/gen_204?id=xbid&dbm_b=AKAmf-C_dOwNGIfHhi0R6W7AswknGdH3c-n1xZKd79oEF9pIT-HUWCxy8dR2vf4el7zIJjoy15v-xQqrCCeeTXpPHb17xf9-fWEAAiuhqdw36bkJHXeRWDg”,(9999),web-advertisements,informational,client-to-server,1023379,0x0,10.0.0.0-10.255.255.255,United States,0,0,1,0,0,0,0,0,DEVICENAME,get,0,0,N/A,unknown,AppThreat-0-0,0x0

I followed the syslog threat fields for our version and triple-checked that they’re set up correctly, I even made sure that there were no slashes that might cause an escape as well.

I have the threat log input set up like this:
position,field,type
1,Receive_Time,STRING
2,Serial_Number,STRING
3,Type,STRING
4,Threat_Content_Type,STRING
5,FUTURE_USE,STRING
6,Generated_Time,STRING
7,Source_IP,STRING
8,Destination_IP,STRING
9,NAT_Source_IP,STRING
10,NAT_Destination_IP,STRING
11,Rule_Name,STRING
12,Source_User,STRING
13,Destination_User,STRING
14,Application,STRING
15,Virtual_System,STRING
16,Source_Zone,STRING
17,Destination_Zone,STRING
18,Inbound_Interface,STRING
19,Outbound_Interface,STRING
20,Log_Action,STRING
21,FUTURE_USE,STRING
22,Session_ID,STRING
23,Repeat_Count,STRING
24,Source_Port,STRING
25,Destination_Port,STRING
26,NAT_Source_Port,STRING
27,NAT_Destination_Port,STRING
28,Flags,STRING
29,Protocol,STRING
30,Action,STRING
31,URL_Filename,STRING
32,Threat_ID,STRING
33,Category,STRING
34,Severity,STRING
35,Direction,STRING
36,Sequence_Number,STRING
37,Action_Flags,STRING
38,Source_Location,STRING
39,Destination_Location,STRING
40,FUTURE_USE,STRING
41,Content_Type,STRING
42,PCAP_ID,STRING
43,File_Digest,STRING
44,Cloud,STRING
45,URL_Index,STRING
46,User_Agent,STRING
47,File_Type,STRING
48,X_Forwarded_For,STRING
49,Referrer,STRING
50,Sender,STRING
51,Subject,STRING
52,Recipient,STRING
53,Report_ID,STRING
54,Device_Group_Hierarchy_Level_1,STRING
55,Device_Group_Hierarchy_Level_2,STRING
56,Device_Group_Hierarchy_Level_3,STRING
57,Device_Group_Hierarchy_Level_4,STRING
58,Virtual_System_Name,STRING
59,Device_Name,STRING
60,FUTURE_USE,STRING
61,Source_VM_UUID,STRING
62,Destination_VM_UUID,STRING
63,HTTP_Method,STRING
64,Tunnel_ID_IMSI,STRING
65,Monitor_Tag_IMEI,STRING
66,Parent_Session_ID,STRING
67,Parent_Start_Time,STRING
68,Tunnel_Type,STRING
69,Threat_Category,STRING
70,Content_Version,STRING
71,FUTURE_USE,STRING

Any ideas as to why the input might be being ignored?

Thanks!

I’m assuming you meant the content pack addons in the Marketplace. Have you looked at the integration for Palo? I have no experience with it, but this may solve your problem.

http://docs.graylog.org/en/3.1/pages/integrations/inputs/palo_alto_networks_input.html#palo-alto-network-input

Hi cawfehman,

Thanks for taking the time to reply. Sorry for not clarifying in my first post, but I am using the integration and not the content packs. We’re currently running Pan-OS 8.0 and Graylog 3.1 - I’ve stayed away from the content packs since they’re either deprecated or set up for Pan-OS 8.1.

if you can share how that can be reproduce please open an issue:

for that.

Thank you Jan, I’ve posted it

I resolved this.

For Traffic and System the Palo Alto documentation has numbers after each FUTURE_USE field (i.e. FUTURE_USE1, FUTURE_USE2). Threat didn’t have these so it was causing an exception when writing to each of them. I added the numbers and it works.

Thank you