The Cribl Pack for Palo Alto Networks Firewalls processes events with the following goals in mind:
- Events are received via syslog directly from Palo Alto firewalls
- Add Splunk metadata to events (e.g. index, source, sourcetype, host)
- Reduction of events by trimming the Syslog header and removing unnecessary fields such as "future_use" and "time" fields.
You should expect to see 15-30% reduction in the size of your Palo Alto Firewall log data.
- Install this pack from the Cribl Pack Dispensary, use the Git clone feature inside Cribl Stream, or download the most recent .crbl file from the repo releases page.
- Create a Route with a filter for your Palo Alto Firewall events. A sample filter to match all events:
(sourcetype=='pan:log' || sourcetype=='pan_log' || /^[^,]+,[^,]+,[^,]+,(THREAT|TRAFFIC|SYSTEM|CONFIG|HIPMATCH|CORRELATION|USERID|GLOBALPROTECT),/.test(_raw))
- Select the
cribl-palo-alto-networks
pack as the pipeline. - Configure the Global Variable (
pan_default_index
) inside the Pack with the appropriate Splunk index for your Palo Alto logs. By default, the index field will be set topan_logs
.
This pack assumes firewalls currently use UTC/GMT for their time zone configuration. If any device uses a local time zone, please configure an entry in the device_info.csv
lookup file (located in the pack's Knowledge content) to adjust timestamps with the timezone of the firewall. The timezone acts as the offset to adjust the timestamp of the event to UTC with the Auto Timestamp function.
The lookup file expects data in two columns: host
and tz
.
The host
field accepts a regular expression to match the hostname of the firewall. The most specific regex in the lookup will be used to match the timezone.
Consider an example with the following hostnames using a standard naming convention. The format follows this pattern:
- Static
FW
string - ISO 3166-1 alpha-2 country code
- Optional State or Province code
- City or IATA airport code
- Device identifier
Here are some example hostnames:
FW-US-MO-KC-01
FW-US-MO-KC-02
FW-US-MO-STL-01
FW-US-TX-DFW-01
FW-US-TX-AUS-01
FW-US-TX-ELP-01
FW-UK-LON-01
FW-JP-HND-01
The first 5 examples are in the US Central time zone. El Paso, Texas (ELP) observes Mountain Time. The final two examples are London and Tokyo, in the Europe/London and Asia/Tokyo time zones, respectively.
A regex of FW-\d+
would match all firewalls, and a specific regex of FW-US-MO-KC-\d+
would only match the firewalls in the Kansas City data center. Matches for FW-US-MO-KC\d+
will take higher precedence over the FW-\d+
regex. This functionality can be used to match specific firewalls or groups of firewalls and provide a timezone for each with increasing precedence. More information about this behavior is provided on the Cribl Documentation Lookup Function page.
Time zones are configured using Olson formatted timezones (e.g. America/Chicago
) C.Time.adjustTZ
. A listing of time zones can be found here.
Cribl uses a third-party library, timezone-support
, to import timezone definitions. As of the time of writing, Cribl uses version 2.0.2 of this package which supports all time zones up to the 2019a release of the IANA Time Zone Database, but may include more up-to-date entries. Please verify before using a specific timezone. All changes to the timezone database since 2016 can be found here.
Here is an example lookup file based on the scenario above utilizing increasing regex specificity for timezone matching:
host,tz
FW-US-.*,America/Chicago
FW-US-TX-ELP-.*,America/Denver
FW-JP-.*,Asia/Tokyo
FW-UK-.*,Europe/London
Firewalls not matching any entry in this list would be assumed to currently have timestamps in UTC.
- In pan_traffic pipeline, add missing
src_dvc_profile
field to the serializer function
- In pan_threat pipeline, remove two fields from list of fields to be dropped, "src_location" & "dest_location"
- Fix various typos in pipelines.
- Fix issue with time zone function in Correlation pipeline
- Fixes typo in Correlation pipeline
- Fixes incorrect sourcetype set in Decryption pipeline
- Add explanations why fields are dropped
- New feature: use Global Variables to define default
index
andsource
field values. Change in one location instead of every pipeline! - Rewrites pipeline logic to separate parser reserialize function into separate parser extract and serialize functions
- New feature: set the global variable
pan_device_name_as_host
to use set thehost
field value from thedvc_host
field value instead of the syslog header.
- Update to version 1.0.0 - major release for new Pack Dispensary 🎉
- Changes Pack ID from
PAN
tocribl-palo-alto-networks
to match naming convention of Cribl built Packs. - This is a breaking change and all references in Routes/Pipelines must be updated!
- Updates parser fields to PAN OS 10.2. All fields added in PAN OS 10 are removed from events by default.
- Adds Correlation event log pipeline.
device_info.csv
now uses Olson formatted timezones (e.g.America/Chicago
) instead of static offsets and theC.Time.adjustTZ
function for better time zone support. A listing of time zones can be found here.
- Bug fix - Corrects an issue in pipelines where the hostname is not correctly extracted if the date is a single digit. Unifies the hostname extraction across all pipelines.
- Routes use
indexOf
filter instead oftest
for higher performance.
- Adds
device_info.csv
lookup file and lookup function in pipelines to adjust time zones per firewall.
- Adds pack display name for LogStream v3.1
- Fixes README
- Initial release
Discuss this pack on our Community Slack channel #packs.
The author of this pack is Brendan Dalpe and can be contacted at [email protected].
This Pack uses the following license: Apache 2.0
.