Back to listing

Palo Alto Networks

Content Pack



25 Sep 15:44

Last Push

07 Aug 15:38

Marketplace Rating



Your Rating

Please sign in to rate this add-on.


patrisilva over 1 year ago

I am new to Graylog. I've tried to import and I got this error: Error importing content pack, please ensure it is a valid JSON file. Check your Graylog logs for more information.
Null id at [Source: org.glassfish.jersey.message.internal.ReaderInterceptorExecutor$UnCloseableInputStream@745f5a10; line: 808, column: 1] (through reference chain: org.graylog2.contentpacks.model.AutoValue_LegacyContentPack$Builder["id"])

ayoublab92 almost 2 years ago

hello everyone ,

Please I am stuck in the “log normalization” step , logs of firewall Palo alto , I read on the documentation of graylog, to standardize the logs one uses “extractor” . : Copy input, Grok pattern, Json, Regular expression, repleace with regular expression, Split & Index, Substring, Lookup Table …what is the most suitable method with graylog to normalize the logs....please anyone help me please i woud get a Content Pack for my fw palo alto

ayoublab92 almost 2 years ago

hello everone, please I import content pack Palo Alto Networks Content Pack, i use Graylog 2.5, my firewall palo Alto A820, Pan 8,0.9. this pack it is adequate with graylog 2.5 ??

ayoublab92 almost 2 years ago

hello everone, please I import content pack Palo Alto Networks Content Pack, i use Graylog 2.5, my firewall palo Alto A820, Pan 8,0.9. this pack it is adequate with graylog 2.5
?? Please I am stuck in the “log normalization” step , logs of firewall Palo alto , I read on the documentation of graylog, to standardize the logs one uses “extractor” . : Copy input, Grok pattern, Json, Regular expression, repleace with regular expression, Split & Index, Substring, Lookup Table …what is the most suitable method with graylog to normalize the logs

ddbnl over 2 years ago

@ignisnigrum, nice find, I generated extractors from Palo Altos' documentation using a python script. I then make a content pack out of it: The dashboards should be more or less the same.

ignisnigrum almost 3 years ago

just my 2 cents:

description of the syslog fields by palo alto , maybe this helps.
as i seem to be unable to modify the grok pattern as everything in the greylog just seem to stop working :S.

PecnikMiha almost 3 years ago

Any news on this front?

PecnikMiha about 3 years ago

That is great news, I can't wait for the new update.

TheJCamping about 3 years ago

I've updated the GROK extractors to work with the changes in 7.0 and 8.0. It looks like its an issue with the time portion of the extractor. Once I've tested for a few days i'll try updating the Content Pack in full.

This is what I changed to get the Grok extractors working: %{IPORHOST:Source}%{NOTCOMMA},%{DATE_US2:LoggedDate} %{NOTCOMMA:LoggedTime},%{BASE10NUM:SerialNumber},%{NOTCOMMA:Type},%{NOTCOMMA:Subtype},%{NOTCOMMA},%{DATE_US2:EventDate} %{NOTCOMMA:EventTime}

If you replace the beginning of the extractor with that or for some of them shortened versions it should work.

NoX1De about 3 years ago

Has anyone forked this already and updated for PANOS 7.1.x and/or 8.0.x compatibility? Don't want to reinvent the wheel...

reighnman about 3 years ago

Really this content pack needs to be broken up by PANOS version since they like to change the structure of their logs on major releases. This was originally created back in PANOS 5 with older versions of graylog so some tweaks are likely necessary. Ideally it should be forged to a new v7+ plugin and updated so that users of old PANOS versions can continue to use the original.

blacs30 over 3 years ago

Thanks a log for this fix regarding the timeformat from @chrkli193. That seemed to have fixed more than 100.000 index errors a day.

reighnman over 3 years ago

You can fork or you can just submit merge requests with fixes. I may be getting new PA devices in which case I'll probably have the opportunity to update it myself again.

dallanwagz over 3 years ago

@NoX1De Are you sending your logs to the input that the content pack created? The extractors need to be attached to the input.

PecnikMiha over 3 years ago

I too am interested what the future of this project is. The Graylog team will need to step up on their own end, be it with contributions or packs we can pay for, if they want to be considered as a Splunk competitor. Same issues as this one are pretty much happening all over, something gets released, it works for x.x version then stops, or lacks some fundemental functions such as custom community names in the SNMP pack.

Community contributions are great and all, but will not be enough in the long run.

luqmaanki almost 4 years ago

Does anyone know if this project has been forked by anyone? I would really like to see it continue to live as PAN upgrades their FW.

NoX1De almost 4 years ago mistake, completely overlooked the grok patterns since none of them reference or designate they are for the Palo Alto Content Pack with something like PA_ in front of them...and the extractors are there, just missed them. Whoops!

NoX1De almost 4 years ago

For clarification- what was meant is none of the extractors nor grok pattern(s) are appearing to be showing up after applying the content pack content.

NoX1De almost 4 years ago

Actually, none of the Grok patterns nor any of the Extractors seem to be working after importing the Content Pack and activating the content...on Graylog v2.2.3+7adc951...?

NoX1De almost 4 years ago

Activated the Content Pack after importing and the Grok Pattern is not showing up...anyone have that issue as well?

maritsas almost 4 years ago

Hi everyone! I tested the pack on PAN-OS versions 7.0.9 and 7.0.5 and everything works fine (after I edited date/time/event properly, accoding to chrkli193's post), EXCEPT the PAN_THREAT grok pattern. Although, I am able to see the Threats/Threat logs that I get on my FWs, I am not getting them into Graylog (version 2.2.3). Is it a Graylog problem or a FW misconfig? I was also wondering if in order to see the threats, I have to map the log forwarding profile to a security policy (just like with the traffic extractor). It does not seem to be the same (and simple) config as with CONFIG or SYSTEM logs.

Thank you in advance for any answers!

@reighnman: thanks a lot for the code

tekctrl87 about 4 years ago

I can confirm I edited the .json content pack file and re-imported it in and my Pan OS 7.1.5 with Graylog 2.1.2 on CentOS 7 (thanks chrkli193!)

marciofoz over 4 years ago

I have the same error in 2.1.1 that @speedst3r report and using the steps of @chrkli193 only stops the errors on the system/overview, but the dashboard not show any more data. Did you create a pattern for %{DATA} @chrkli193 ?

giannidaprile over 4 years ago

I can confirm that chrkli193 fix works for me too (Graylog 2.1.1 on Centos 7).

chrkli193 over 4 years ago

On Ubuntu 16.04 I've changed:
%{DATE_US2:LoggedDate} +%{TIME:LoggedTime}
%{DATA:LoggedDate;date;yyyy/MM/dd HH:mm:ss}

%{DATE_US2:EventDate} +%{TIME:EventTime}
%{DATA:EventDate;date;yyyy/MM/dd HH:mm:ss}
After that it's working

speedst3r over 4 years ago

Getting the following error when indexing:
message [MapperParsingException[failed to parse [EventDate]]; nested: IllegalArgumentException[Invalid format: "2016/09/12" is malformed at "/09/12"];]

Vanilla Graylog install on Ubuntu 16.04. I have Netscreen logs insering without issue.

smallfish01 over 4 years ago


When I click "Configured extractors" on PAN_THREAT,I saw the right "Metrics" and "Converter time" are shown "No message passed through here yet", but I can see logs when I click "Show received messages", that means the logs received from Palo Alto firewall on Graylog server.

smallfish01 over 4 years ago

Thanks for your replied! did you means create rules on Gryloa web: System/Roles/Dashboard and add PaloAlto items and enable read/write?

reighnman over 4 years ago

I am done traveling for a while and will begin looking at upgrading this to support the latest 7.1 fields time permitting :)

nisimar over 4 years ago

Hi @smallfish01 you need set into rules, transfer logs to graylog.

smallfish01 over 4 years ago

Hi @nisimar, I got the same issue as you, my Pan OS is 6.1, I'd like you know how you fix it?

nisimar over 4 years ago

it's working Tnx :)

nisimar over 4 years ago

The dashboard (Glary 2.0.3) does not display data with the PAN OS 7.1.3.

You can fix it?

Thank you :)

skear over 4 years ago

Working great with graylog2 and Panos 7.x. Very useful content pack!

ashishbar almost 5 years ago

not working on graylog 2.0 .

thipsup almost 5 years ago

@meoso I use graylog2 with PAN OS 7.0.4 but dashboard show nothing. Do you have any example of your content pack ?

bgarlock almost 5 years ago

@meoso - Would you mind sharing your edits, and contribute back via github? This would be most appreciated and helpful.

meoso almost 5 years ago

Thank you for this!!! Thank you for this!!!
Working on with PAN 7.0.4 and Graylog Appliance 1.3.3. - needs new 7.x fields; had to edit Login Summary dash.

clement201657 almost 5 years ago

It doesn't work for me neither, anyone could help to debug ?
Nothing is collected to the input

kevin-sback about 5 years ago

I'm not seeing anything in my dashboards with PAN-OS 6.1.8. When I test the extractor in the "Field matches this regular expression" ^(.*,THREAT,.*), I get Does not match Extractor would not run. The Grok pattern passes. Same for Config ^(.*,CONFIG,.*). For System both Grok and expression does not pass. Any ideas. Sorry new to this. Thanks in advance.

jason-at-key about 5 years ago

works with pan os 7.0.2 and 7.0.3

jason-at-key over 5 years ago

testing w/ panOS 7.0.2
dashboards seem to be working at 1st glance

tfriesen over 5 years ago

Another minor bug. The PAN Threat extractor fails for flood type threats. Here is an updated Grok pattern:

%{IPORHOST:source} +: +%{BASE10NUM:Domain},%{DATE_US2:LoggedDate} +%{TIME:LoggedTime},%{HEXINT:SerialNumber},%{NOTCOMMA:Type},%{NOTCOMMA:Subtype},%{NOTCOMMA:ConfigVersion},%{DATE_US2:EventDate} +%{TIME:EventTime},%{IP:SourceIP},%{IP:DestinationIP},(%{IP:NATSourceIP})?,(%{IP:NATDestinationIP})?,(%{NOTCOMMA:RuleName})?,(%{NOTCOMMA:SourceUser})?,(%{NOTCOMMA:DestinationUser})?,(%{NOTCOMMA:Application})?,%{NOTCOMMA:VirtualSystem},%{NOTCOMMA:SourceZone},%{NOTCOMMA:DestinationZone},(%{NOTCOMMA:IngressInterface})?,(%{NOTCOMMA:EgressInterface})?,%{NOTCOMMA:LogForwardingProfile},%{NOTCOMMA:UNWANTED},%{BASE10NUM:SessionID},%{BASE10NUM:RepeatCount},(%{BASE10NUM:SourcePort})?,(%{BASE10NUM:DestinationPort})?,(%{BASE10NUM:NATSourcePort})?,(%{BASE10NUM:NATDestinationPort})?,%{NOTCOMMA:Flags},%{NOTCOMMA:Protocol},%{NOTCOMMA:Action},%{QSORNC:Miscellaneous},%{NOTCOMMA:ThreatID},%{NOTCOMMA:Category},%{NOTCOMMA:Severity},%{NOTCOMMA:Direction},%{BASE10NUM:Sequence},%{NOTCOMMA:ActionFlags},(%{NOTCOMMA:SourceLocation})?,(%{NOTCOMMA:DestinationLocation}).*

tfriesen over 5 years ago

I've found a few minor bugs in the extractors in this pack. To start, the HOUR pattern is missing, which means it can't parse TIME. For the TRAFFIC extractor, SerialNumber can include hex characters, so it will sometimes fail BASE10NUM. Lastly, my logs don't seem to include a SessionEndReason field, so I had to omit that to get mine to work.

Thanks for the code, nonetheless! This will be really useful once I get all the gotchyas sorted out.

reighnman over 5 years ago

You might want to download or install directly again as I went back through the grok patterns to make sure they were included as well as a few other updates.

bac36 over 5 years ago

jdxnster & ifailalot, thank you both for your inputs this works for ThreatSummary + URL Filtering but the GlobalProtect Portal &Threat Summer High-Critical is not receiving any information. Did i miss something else?

jdxnster over 5 years ago

Thanks for this, however the Grok pattern HOUR is missing from the content pack, I simply added the following pattern: "name" : "HOUR", "pattern" : "(?:[0-2][0-9])"

ifailalot over 5 years ago

adding the pattern
YEAR (?:[1-2][0-9][0-9][0-9])
worked for me

rmurphyMLHC over 5 years ago

neildavies44, thank you for your help. I changed the grok to look like this and it still does not import. Thank you for your input.

"name" : "YEAR",
"pattern" : "(?>\\d\\d){1,2}"

neildavies44 over 5 years ago

I had the same error, but if you edit the file, at the end is the YEAR grok pattern and change it from \d\d to \\d\\d and then import, it should work.

rmurphyMLHC over 5 years ago

I am getting the same error as ltb76.


ltb76 over 5 years ago

I cannot seem to import this - I get the error: "Error! The uploaded bundle could not be applied: does it have the right format? "
I have tried re-downloading.

Please sign in to comment.

Back to listing