Skip to content

Commit

Permalink
[Filebeat] Add PanOS Global Protect & User ID logs (#24927)
Browse files Browse the repository at this point in the history
Updates the Panw PanOS module to parse the Palo Alto Global Protect and User ID logs.

(cherry picked from commit 99ba1a2)
  • Loading branch information
legoguy1000 authored and mergify-bot committed May 12, 2021
1 parent b54b2e5 commit 92ff38c
Show file tree
Hide file tree
Showing 18 changed files with 2,646 additions and 780 deletions.
1 change: 1 addition & 0 deletions CHANGELOG.next.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -578,6 +578,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
- New module `zookeeper` for Zookeeper service and audit logs {issue}25061[25061] {pull}25128[25128]
- Add parsing for `haproxy.http.request.raw_request_line` field {issue}25480[25480] {pull}25482[25482]
- Mark `filestream` input beta. {pull}25560[25560]
- Update PanOS module to parse Global Protect & User ID logs. {issue}24722[24722] {issue}24724[24724] {pull}24927[24927]

*Heartbeat*

Expand Down
273 changes: 273 additions & 0 deletions filebeat/docs/fields.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -107511,6 +107511,279 @@ Specifies the sub type of the log
Virtual system instance


type: keyword

--

*`panw.panos.client_os_ver`*::
+
--
The client device’s OS version.


type: keyword

--

*`panw.panos.client_os`*::
+
--
The client device’s OS version.


type: keyword

--

*`panw.panos.client_ver`*::
+
--
The client’s GlobalProtect app version.


type: keyword

--

*`panw.panos.stage`*::
+
--
A string showing the stage of the connection


type: keyword

example: before-login

--

*`panw.panos.actionflags`*::
+
--
A bit field indicating if the log was forwarded to Panorama.


type: keyword

--

*`panw.panos.error`*::
+
--
A string showing that error that has occurred in any event.


type: keyword

--

*`panw.panos.error_code`*::
+
--
An integer associated with any errors that occurred.


type: integer

--

*`panw.panos.repeatcnt`*::
+
--
The number of sessions with the same source IP address, destination IP address, application, and subtype that GlobalProtect has detected within the last five seconds.An integer associated with any errors that occurred.


type: integer

--

*`panw.panos.serial_number`*::
+
--
The serial number of the user’s machine or device.


type: keyword

--

*`panw.panos.auth_method`*::
+
--
A string showing the authentication type


type: keyword

example: LDAP

--

*`panw.panos.datasource`*::
+
--
Source from which mapping information is collected.


type: keyword

--

*`panw.panos.datasourcetype`*::
+
--
Mechanism used to identify the IP/User mappings within a data source.


type: keyword

--

*`panw.panos.datasourcename`*::
+
--
User-ID source that sends the IP (Port)-User Mapping.


type: keyword

--

*`panw.panos.factorno`*::
+
--
Indicates the use of primary authentication (1) or additional factors (2, 3).


type: integer

--

*`panw.panos.factortype`*::
+
--
Vendor used to authenticate a user when Multi Factor authentication is present.


type: keyword

--

*`panw.panos.factorcompletiontime`*::
+
--
Time the authentication was completed.


type: date

--

*`panw.panos.ugflags`*::
+
--
Displays whether the user group that was found during user group mapping. Supported values are:
User Group Found—Indicates whether the user could be mapped to a group.
Duplicate User—Indicates whether duplicate users were found in a user group. Displays N/A if no user group is found.


type: keyword

--

[float]
=== device_group_hierarchy

A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. The firewall (or virtual system) generating the log includes the identification number of each ancestor in its device group hierarchy. The shared device group (level 0) is not included in this structure. If the log values are 12, 34, 45, 0, it means that the log was generated by a firewall (or virtual system) that belongs to device group 45, and its ancestors are 34, and 12.



*`panw.panos.device_group_hierarchy.level_1`*::
+
--
A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. The firewall (or virtual system) generating the log includes the identification number of each ancestor in its device group hierarchy. The shared device group (level 0) is not included in this structure. If the log values are 12, 34, 45, 0, it means that the log was generated by a firewall (or virtual system) that belongs to device group 45, and its ancestors are 34, and 12.


type: keyword

--

*`panw.panos.device_group_hierarchy.level_2`*::
+
--
A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. The firewall (or virtual system) generating the log includes the identification number of each ancestor in its device group hierarchy. The shared device group (level 0) is not included in this structure. If the log values are 12, 34, 45, 0, it means that the log was generated by a firewall (or virtual system) that belongs to device group 45, and its ancestors are 34, and 12.


type: keyword

--

*`panw.panos.device_group_hierarchy.level_3`*::
+
--
A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. The firewall (or virtual system) generating the log includes the identification number of each ancestor in its device group hierarchy. The shared device group (level 0) is not included in this structure. If the log values are 12, 34, 45, 0, it means that the log was generated by a firewall (or virtual system) that belongs to device group 45, and its ancestors are 34, and 12.


type: keyword

--

*`panw.panos.device_group_hierarchy.level_4`*::
+
--
A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. The firewall (or virtual system) generating the log includes the identification number of each ancestor in its device group hierarchy. The shared device group (level 0) is not included in this structure. If the log values are 12, 34, 45, 0, it means that the log was generated by a firewall (or virtual system) that belongs to device group 45, and its ancestors are 34, and 12.


type: keyword

--

*`panw.panos.timeout`*::
+
--
Timeout after which the IP/User Mappings are cleared.


type: integer

--

*`panw.panos.vsys_id`*::
+
--
A unique identifier for a virtual system on a Palo Alto Networks firewall.


type: keyword

--

*`panw.panos.vsys_name`*::
+
--
The name of the virtual system associated with the session; only valid on firewalls enabled for multiple virtual systems.


type: keyword

--

*`panw.panos.description`*::
+
--
Additional information for any event that has occurred.


type: keyword

--

*`panw.panos.tunnel_type`*::
+
--
The type of tunnel (either SSLVPN or IPSec).


type: keyword

--
Expand Down
2 changes: 1 addition & 1 deletion x-pack/filebeat/module/panw/fields.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading

0 comments on commit 92ff38c

Please sign in to comment.