Security Onion Palo Alto syslogs

[Pete Halatsis]

What is the best way to push Palo Alto Panorama syslogs to Security Onion? The logs are not parsed correctly through the default syslog port 514. I have tried multiple ways of trying to modify it but all have failed. I have not tried modifying syslog-ng.conf as I do not understand it.

Variations of this did not work either: https://github.com/shadow-box/Palo-Alto-Networks-ELK-Stack

I am looking for the best way to do it and hopefully some easy instructions or link to documentation.

Any help would be appreciated!

(Palo Alto v.9.0)

[Ibrahim Ibrahim]

Hi Pete,

I setup a filebeat server with enable palo module  input port 9001 and then send the output to logstash SO, it cant parse all the field but therse some field with name pan** cannot be index even after i refresh the index management.

[Pete Halatsis]

Thanks. I am setting this up all on a single server for testing. I tried sending the logs directly to filebeats on the same server and then onto logstash with a custom config file (modified version of the one in the link above) but it did not work well. 

So I am wondering where I should focus my efforts. Sending to filebeats (may need to be a separate server?), send directly to logstash (mixed results with that), or something else? If there is a way to do this all on the same server, please advise what port I should use and how to get the service listening. To send to logstash I had to modify the OPTIONS field in securityonion.conf. Again, not sure if I was going down the right path!

[Pete Halatsis]

I have my logs hitting where I expect them now. I created a logstash conf file that filters based on if [syslog-sourceip] == "myPANIP". (Please let me know if there is a better way)

My problem now is the data is not matching the correct fields. I assumed this was done by having source =>messsage, columns=>"col1,col2,col3". I copied the column layout from Palo Alto for my version of PAN-OS and yet they aren't correct. I feel like I am missing something obvious?

[PeteH]

I think this is a logstash issue specifically so I have posted over there.

https://discuss.elastic.co/t/parsing-issues-with-logstash-csv-plugin/249856