The Cribl Pack for Palo Alto Networks Firewalls processes events with the following goals in mind:
- Events are received via syslog directly from Palo Alto firewalls
- Add Splunk metadata to events (e.g. index, source, sourcetype, host)
- Reduction of events by trimming the Syslog header and removing unnecessary fields such as "future_use" and "time" fields.
You should expect to see 15-30% reduction in the size of your Palo Alto Firewall log data.
- Install this pack from the Cribl Pack Dispensary, use the Git clone feature inside Cribl Stream, or download the most recent .crbl file from the repo releases page.
- Create a Route with a filter for your Palo Alto Firewall events. A sample filter to match all events:
(sourcetype=='pan:log' || sourcetype=='pan_log' || /^[^,]+,[^,]+,[^,]+,(THREAT|TRAFFIC|SYSTEM|CONFIG|HIPMATCH|CORRELATION|USERID|GLOBALPROTECT),/.test(_raw))
- Select the
cribl-palo-alto-networkspack as the pipeline. - Configure the Global Variable (
pan_default_index) inside the Pack with the appropriate Splunk index for your Palo Alto logs. By default, the index field will be set topan_logs.
This pack assumes all of your firewalls use UTC/GMT for their time zone configuration. If you use local time zones, please configure the device_info.csv lookup file (located in the pack's Knowledge content).
The device_info.csv file uses a regular expression lookup function in each pipeline. You can use wildcards (e.g. .*, KCMO-FW-\d+, FW-.*) in the hostname field. The time zone (tz) field must be formatted as an integer (e.g. -05, +11, etc.). The regex lookup will return the most specific regex as the time zone value.
Here is an example lookup file:
host,tz
KCMO-FW-\d+,America/Chicago
FW-.*,Etc/GMT+1
.*,US/Eastern
- Fix various typos in pipelines.
- Fix issue with time zone function in Correlation pipeline
- Fixes typo in Correlation pipeline
- Fixes incorrect sourcetype set in Decryption pipeline
- Add explanations why fields are dropped
- New feature: use Global Variables to define default
indexandsourcefield values. Change in one location instead of every pipeline! - Rewrites pipeline logic to separate parser reserialize function into separate parser extract and serialize functions
- New feature: set the global variable
pan_device_name_as_hostto use set thehostfield value from thedvc_hostfield value instead of the syslog header.
- Update to version 1.0.0 - major release for new Pack Dispensary 🎉
- Changes Pack ID from
PANtocribl-palo-alto-networksto match naming convention of Cribl built Packs. - This is a breaking change and all references in Routes/Pipelines must be updated!
- Updates parser fields to PAN OS 10.2. All fields added in PAN OS 10 are removed from events by default.
- Adds Correlation event log pipeline.
device_info.csvnow uses Olson formatted timezones (e.g.America/Chicago) instead of static offsets and theC.Time.adjustTZfunction for better time zone support. A listing of time zones can be found here.
- Bug fix - Corrects an issue in pipelines where the hostname is not correctly extracted if the date is a single digit. Unifies the hostname extraction across all pipelines.
- Routes use
indexOffilter instead oftestfor higher performance.
- Adds
device_info.csvlookup file and lookup function in pipelines to adjust time zones per firewall.
- Adds pack display name for LogStream v3.1
- Fixes README
- Initial release
Discuss this pack on our Community Slack channel #packs.
The author of this pack is Brendan Dalpe and can be contacted at bdalpe@cribl.io.
This Pack uses the following license: Apache 2.0.