Hello!
I am not sure if this is the right area to ask this question, but I wanted to know if I were having issues with the Palo Alto Content Pack that is on the market place and having an issue with it since an upgrade to our firewall, if this is the place to inquire about it? I know this is not something that the makers of GrayLog made, but just curious if this is where we come to field questions about 3rd party content packs?
Thanks in advance.
My experience with content packs is that sometimes they work, sometimes not at all. Often I end up with writing the extractors myself, but the dashboard from the content pack gives inspiration on what kind of a dashboard is possible with it.
About Palo Alto: you can define the log line format in the sending Palo Alto device to your liking. There is an example in the net for Qradar config; you can easily take that to the firewall end and then write your own regex extractors in Graylog, takes perhaps two hours total.
The problem is I get lost quickly in trying to write my own extractors. I am understanding Grok somewhat more now just from trying to see what screwed up with the update with Palo Alto. I also realize this is a learning process for me.
I do appreciate your suggestion however, I may look into that and I have a co-worker who knows regex pretty well, and then use the dashboard examples the content pack has as a template for creating new dashboards. Just wished there was an easier way to fix the old stuff. 
Thanks again!
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.
