Palo Alto Networks PAN-OS v9.x Elastic Stack v6.x Configuration
The goal of this project was to create a configuration which parses and stores ALL syslog fields within PAN-OS v9.x. Most other configurations I came across required editing which fields PAN-OS sent, which inherently meant loss of data fidelity.
Currently this configuration correctly parses all fields from the following log types:
- Traffic
- Threat (including URL Filtering Logs)
- User-ID (Coming Soon)
For a complete description of all of the syslog fields for PAN-OS v9.x please see the documentation below: https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/monitoring/use-syslog-for-monitoring/syslog-field-descriptions.html
Installation Instructions:
First follow the excellent instructions available online for setting up the following components:
- Logstash, Elasticsearch & Kibana v6.x
After the setup perform the following:
Firewall(s)/Panorama:
- Configure both the traffic and the threat logs to be sent to the Logstash server on port 5514 (both TCP and UDP are supported).
- Reference PAN-OS v9.x Documentation: https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/monitoring/use-syslog-for-monitoring/syslog-field-descriptions.html
Logstash:
- Copy PAN-OS.conf to the Logstash configuration location and restart the service.
Elasticsearch:
- Put the Elasticsearch templates provided in this repository with the following commands:
curl -XPUT http://<your-elasticsearch-server>:9200/_template/traffic?pretty -H 'Content-Type: application/json' -d @traffic_template_mapping-v1.1.json
curl -XPUT http://<your-elasticsearch-server>:9200/_template/threat?pretty -H 'Content-Type: application/json' -d @threat_template_mapping-v1.1.json
Kibana:
- Create the index patterns for both traffic and threat with the time filter of @timestamp.
- Optionally upload the Visualizations provided in the Visualizations sub-directory.
Example Visualization Provided:
