The Palo Alto Input doesn’t ignore commas in a quoted string, and therefore doesn’t index the fields properly.
Is there a way to configure the input to respect the quoted strings that Palo Alto sends in its messages?
The log received from Palo Alto looks like this:
1,2019/04/25 15:32:04,009900009999,SYSTEM,globalprotect,0,2019/04/25 15:32:04,,globalprotectportal-auth-succ,GP_PortalAdm_Optional,0,0,general,informational,"GlobalProtect portal user authentication succeeded. Login from: 10.0.0.1, Source region: DK, User name: pre-logon, Auth type: client certificate.",16657523,0x0,0,0,0,0,,PA-VM
Palo Alto Networks Input configuration (Only the system section listed below):
SYSTEM_TEMPLATE: position,field,type 1,receive_time,STRING 2,serial_number,STRING 3,type,STRING 4,content_threat_type,STRING 5,future_use1,STRING 6,generated_time,STRING 7,virtual_system,STRING 8,event_id,STRING 9,object,STRING 10,future_use2,STRING 11,future_use3,STRING 12,module,STRING 13,severity,STRING 14,description,STRING 15,sequence_number,STRING 16,action_flags,STRING 17,device_group_hierarchy_l1,STRING 18,device_group_hierarchy_l2,STRING 19,device_group_hierarchy_l3,STRING 20,device_group_hierarchy_l4,STRING 21,virtual_system_name,STRING 22,device_name,STRING
All the fields down to position 14 are correct. The Description field and the following fields contains:
Description "GlobalProtect portal user authentication succeeded. Login from: 18.104.22.168 sequence_number Source region: DK action_flags User name: pre-logon device_group_hierarchy_l1 Auth type: client certificate." device_group_hierarchy_l2 16657523
I don’t see any option on the Input that would allow me to control the parsing of quoted strings. Nor have I been able to find any helpful information on the topic.
It would probably be possible to do this with a standard Syslog input and some GROK patterns but that negates the purpose of the dedicated Palo Alto Input.
The setup is running on the OVA image and is running Graylog 3.0.1-2 with the graylog-integrations-plugins installed.
The Palo Alto Networks Input Plugin is installed with:
sudo apt-get install graylog-integrations-plugins
Found in the docs under Integrations (http://docs.graylog.org/en/3.0/pages/integrations/setup.html)
The Palo alto system is running Software Version 8.0.13.
The Syslog server is configured as TCP and format IETF, with the default log format.