Skip to content

[PANW] add audit log parsing #9663

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 13 commits into from
May 6, 2024
Merged

[PANW] add audit log parsing #9663

merged 13 commits into from
May 6, 2024

Conversation

@gogochan
Copy link
Contributor

@gogochan gogochan commented Apr 22, 2024

Proposed commit message

Explain here the changes you made on the PR.

Please explain:
This PR adds Audit log, described in https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/audit-log-fields, processing for PaloAlto's NG firewall.

The audit log has different log pattern than the existing ones. So I added a new grok pattern to match the log provided by the customer. I've asked customer to provide additional sample log if possible. The PR may be updated based on additional information I get from the customer.

The issue was reported by https://github.com/elastic/sdh-beats/issues/4641

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.

Author's Checklist

  • [ ]

How to test this PR locally

Related issues

Screenshots
@gogochan gogochan added the bug Something isn't working, use only for issues label Apr 22, 2024
@gogochan gogochan requested a review from a team as a code owner April 22, 2024 20:43
@gogochan gogochan changed the title add audit log parsing [PANW] add audit log parsing Apr 22, 2024
@gogochan gogochan marked this pull request as draft April 22, 2024 20:44
@gogochan gogochan added Integration:panw Palo Alto Next-Gen Firewall Team:Security-Deployment and Devices DEPRECATED Deployment and Devices Security team [elastic/sec-deployment-and-devices] labels Apr 23, 2024
@elasticmachine
Copy link

elasticmachine commented Apr 24, 2024
edited
Loading

🚀 Benchmarks report

Package panw 👍(0) 💚(0) 💔(1)

Expand to view
Data stream Previous EPS New EPS Diff (%) Result
panos 1216.55 953.29 -263.26 (-21.64%) 💔

To see the full report comment with /test benchmark fullreport
@gogochan gogochan added enhancement New feature or request and removed bug Something isn't working, use only for issues labels May 2, 2024
@gogochan gogochan marked this pull request as ready for review May 2, 2024 23:46
@elasticmachine
Copy link

elasticmachine commented May 2, 2024

Pinging @elastic/sec-deployment-and-devices (Team:Security-Deployment and Devices)
@gogochan
Copy link
Contributor Author

gogochan commented May 6, 2024

/test benchmark fullreport
taylor-swanson
taylor-swanson reviewed May 6, 2024
View reviewed changes
Copy link
Contributor

@taylor-swanson taylor-swanson left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM aside from one issue
packages/panw/data_stream/panos/elasticsearch/ingest_pipeline/audit.yml Outdated
- append:
field: error.message
value: >-
error in IP Tag pipeline:
Copy link
Contributor

@taylor-swanson taylor-swanson May 6, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
error in IP Tag pipeline:
error in Audit pipeline:
Copy link
Contributor Author

@gogochan gogochan May 6, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks! 🙏
@elasticmachine
Copy link

elasticmachine commented May 6, 2024

💚 Build Succeeded

History
@elastic-sonarqube
Copy link

elastic-sonarqube bot commented May 6, 2024

Quality Gate passed Quality Gate passed

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
100.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube
@gogochan gogochan merged commit b88d2a3 into main May 6, 2024
@gogochan gogochan deleted the addPanwAuditLog branch May 6, 2024 19:43
@elasticmachine
Copy link

elasticmachine commented May 6, 2024

Package panw - 3.25.0 containing this change is available at https://epr.elastic.co/search?package=panw
@marioschaefer marioschaefer mentioned this pull request Jun 17, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

enhancement New feature or request Integration:panw Palo Alto Next-Gen Firewall Team:Security-Deployment and Devices DEPRECATED Deployment and Devices Security team [elastic/sec-deployment-and-devices]

4 participants

@gogochan @elasticmachine @taylor-swanson