Palo 10.x+ Decryption and GTP logs not parsing

I have recently setup graylog 5 and setup a Palo input. The only one I saw was for Palo 9.x+. It’s working great other than the Decryption and GTP logs. I receive this message in the graylog server log:

2023-04-20T10:51:03.404-04:00 INFO [PaloAlto9xCodec] Received log for unsupported PAN type [GTP]. Will not parse.
2023-04-20T10:51:03.488-04:00 INFO [PaloAlto9xCodec] Received log for unsupported PAN type [DECRYPTION]. Will not parse.

The data comes in and I can parse it with extractors but this will still fill up my log with a bunch of these messages and seems like not the cleanest way to fix my issue.

My question is where can I add Decryption and GTP as supported logs for the Pan Types? I would like to build that out but can’t seem to find where it’s defined.

This is a single node environment. I am using open search and mongoDB installed locally on the server.
OS: Rocky 9.1
Graylog 5.0.6

I am not having any other feeds and all other Palo logs are coming in without issue.

Please let me know if there is any other information I can provide to be helpful.

The messages from the Palo are just syslog, the panOS input does some helpful parsing, but you could fall back to a standard syslog input and just do that parsing manually in pipeline rules.

The docs page goes into pretty deep detail on what that input is doing Palo Alto Networks Input

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.