@jan - should have mentioned that too - there are a couple challenges that I have with the built in integration:
-
The Integrations plugin goes to 8.1 and PA is on version 9+ with notable adjustments in fields. You can adjust the integration but as an example, PA has broken out a new message type GLOBALPROTECT … which used to be under SYSTEM - not yet available in the current integration. Even more annoying, all the other log types are in CSV field position [3] but GLOBALPROTECT is CSV field position [5]…
-
The SYSTEM messages have a description field that has quotes around it contains zero or more commas and is semi key-value oriented. The integration kind of captures these but can’t break them into field name and data - until the pipeline… if you want them.
-
There is no method for ignoring fields
Having the message breakout in a pipeline gives me a lot more flexibility for this and as things evolve.
Example: (Assumes you already pulled out that it was logtype SYSTEM in a previous stage)
rule "PA-Firewall - ex1 - SYSTEM fields"
when
has_field("log_type") &&
to_string($message.log_type) == "SYSTEM"
then
let message = to_string($message.message);
// Regex breaks out event description in quotes here.
// there are possibly commas in the description that messes up the split
// so regex the event description and ignore ending fields since not needed.
let snagy = regex(pattern: "(?<=,\")(.*)(?=.\",)",
value: message
);
set_field("event_description", to_string(snagy["0"]));
let splitsys = split(",", message);
set_field("hostname", splitsys[0]);
set_field("receive_date_time", splitsys[1]);
set_field("serial_number", splitsys[2]);
//set_field("log_type", splitsys[3]); -- already handled
set_field("log_subtype", splitsys[4]);
set_field("time_generated", splitsys[6]);
//set_field("virtual_system", splitsys[7]); -- not used
set_field("event_id_name", splitsys[8]);
set_field("session_object", splitsys[9]);
set_field("subtype_module", splitsys[12]);
set_field("event_severity", splitsys[13]);
end
I didn’t care about the fields following event_description but if you wanted them you could replace(message,event_description) to remove the field before breaking the rest out.
OK WAY more information than asked for but it’s a slow day and someone may search for a similar answer in the future.