Missing docs file

filebeat/docs/modules/palo_alto.asciidoc

@@ -0,0 +1,188 @@
+////
+This file is generated! See scripts/docs_collector.py
+////
+
+[[filebeat-module-palo_alto]]
+[role="xpack"]
+
+:modulename: palo_alto
+:has-dashboards: true
+
+== Palo Alto Networks module
+
+This is a module for Palo Alto Networks PAN-OS firewall monitoring logs received
+over Syslog or read from a file. It currently supports messages of Traffic and
+Threat types.
+
+[float]
+=== Compatibility
+
+This module has been tested with logs generated by devices running PAN-OS
+versions 7.1 to 9.0 but limited compatibility is expected for earlier versions.
+
+The {plugins}/ingest-geoip.html[ingest-geoip]
+Elasticsearch plugin is required to run this module.
+
+include::../include/running-modules.asciidoc[]
+
+[float]
+=== ECS field mappings
+
+These are the PAN-OS to ECS field mappings as well as those fields still not
+in ECS that are added under the `palo_alto` prefix:
+
+.Traffic log mappings
+[options="header"]
+|==============
+| PAN-OS Field | ECS Field | Non-standard field
+| Receive Time | event.created |
+| Serial Number | observer.serial_number |
+| Type | event.category |
+| Subtype | event.action |
+| Generated Time | `@timestamp` |
+| Source IP | client.ip source.ip |
+| Destination IP | server.ip destination.ip |
+| NAT Source IP |  | palo_alto.source.nat.ip
+| NAT Destination IP |  | palo_alto.destination.nat.ip
+| Rule Name |  | palo_alto.ruleset
+| Source User | client.user.name source.user.name |
+| Destination User | server.user.name destination.user.name |
+| Application | network.application |
+| Source Zone |  | palo_alto.source.zone
+| Destination Zone |  | palo_alto.destination.zone
+| Ingress Interface |  | palo_alto.source.interface
+| Egress Interface |  | palo_alto.destination.interface
+| Session ID |  | palo_alto.flow_id
+| Source Port | client.port source.port |
+| Destination Port | destination.port server.port |
+| NAT Source Port |  | palo_alto.source.nat.port
+| NAT Destination Port |  | palo_alto.destination.nat.port
+| Flags | labels |
+| Protocol | network.transport |
+| Action | event.outcome |
+| Bytes | network.bytes |
+| Bytes Sent | client.bytes destination.bytes |
+| Bytes Received | server.bytes source.bytes |
+| Packets | network.packets |
+| Start Time | event.start |
+| Elapsed Time | event.duration |
+| Category |  | palo_alto.url.category
+| Sequence Number |  | palo_alto.sequence_number
+| Packets Sent | server.packets destination.packets |
+| Packets Received | client.packets source.packets |
+| Device Name | observer.hostname |
+|==============
+
+.Threat logs mappings
+[options="header"]
+|==============
+| PAN-OS Field | ECS Field | Non-standard field
+| Receive Time | event.created |
+| Serial Number | observer.serial_number |
+| Type | event.category |
+| Subtype | event.action |
+| Generated Time | `@timestamp` |
+| Source IP | client.ip source.ip |
+| Destination IP | server.ip destination.ip |
+| NAT Source IP |  | palo_alto.source.nat.ip
+| NAT Destination IP |  | palo_alto.destination.nat.ip
+| Rule Name |  | palo_alto.ruleset
+| Source User | client.user.name source.user.name |
+| Destination User | server.user.name destination.user.name |
+| Application | network.application |
+| Source Zone |  | palo_alto.source.zone
+| Destination Zone |  | palo_alto.destination.zone
+| Ingress Interface |  | palo_alto.source.interface
+| Egress Interface |  | palo_alto.destination.interface
+| Session ID |  | palo_alto.flow_id
+| Source Port | client.port source.port |
+| Destination Port | destination.port server.port |
+| NAT Source Port |  | palo_alto.source.nat.port
+| NAT Destination Port |  | palo_alto.destination.nat.port
+| Flags | labels |
+| Protocol | network.transport |
+| Action | event.outcome |
+| Miscellaneous | url.original | palo_alto.threat_file_or_url
+| Threat ID |  | palo_alto.threat_id
+| Category |  | palo_alto.url.category
+| Severity | log.level |
+| Direction | network.direction |
+| Source Location | source.geo.country_iso_code |
+| Destination Location | destination.geo.country_iso_code |
+| PCAP_id |  | palo_alto.network.pcap_id
+| Filedigest |  | palo_alto.file.hash
+| User Agent | user_agent.original |
+| File Type | file.type |
+| X-Forwarded-For | network.forwarded_ip |
+| Referer | http.request.referer |
+| Sender | source.user.email |
+| Subject |  | palo_alto.subject
+| Recipient | destination.user.email |
+| Device Name | observer.hostname |
+|==============
+
+// [float]
+// === Example dashboard
+//
+// This module comes with a sample dashboard:
+//
+// (TODO)
+// [role="screenshot"]
+// image::./images/kibana-cisco-asa.png[]
+
+include::../include/configuring-intro.asciidoc[]
+
+The module is by default configured to run via syslog on port 9001. However
+it can also be configured to read logs from a file. See the following example.
+
+["source","yaml",subs="attributes"]
+-----
+- module: palo_alto
+  pan_os:
+    enabled: true
+    var.paths: ["/var/log/pan-os.log"]
+    var.input: "file"
+-----
+
+:fileset_ex: pan_os
+
+include::../include/config-option-intro.asciidoc[]
+
+[float]
+==== `pan_os` fileset settings
+
+Example config:
+
+[source,yaml]
+----
+  pan_os:
+    var.syslog_host: 0.0.0.0
+    var.syslog_port: 514
+----
+
+include::../include/var-paths.asciidoc[]
+
+*`var.syslog_host`*::
+
+The interface to listen to UDP based syslog traffic. Defaults to `localhost`.
+Set to `0.0.0.0` to bind to all available interfaces.
+
+*`var.syslog_port`*::
+
+The UDP port to listen for syslog traffic. Defaults to `9001`
+
+NOTE: Ports below 1024 require {beatname_uc} to run as root.
+
+:has-dashboards!:
+
+:fileset_ex!:
+
+:modulename!:
+
+
+[float]
+=== Fields
+
+For a description of each field in the module, see the
+<<exported-fields-palo_alto,exported fields>> section.
+