Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Filebeat] Add PanOS Global Protect & User ID logs #24927

Merged
merged 9 commits into from
May 12, 2021
Merged

[Filebeat] Add PanOS Global Protect & User ID logs #24927

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
f10b0ff
#24724: Add Global Protect logs
legoguy1000 Apr 4, 2021
01a6c7e
Add User ID (more changes needed)
legoguy1000 Apr 5, 2021
f71ccc8
update userid ingest
legoguy1000 Apr 7, 2021
d426748
update fields
legoguy1000 Apr 7, 2021
5db554a
update fields
legoguy1000 Apr 7, 2021
e5eb00c
copy source.user to user
legoguy1000 Apr 7, 2021
24cb1e7
additional logs
legoguy1000 Apr 8, 2021
6c443fd
comments from @adriansr
legoguy1000 May 11, 2021
657e6de
update generated data
legoguy1000 May 11, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions CHANGELOG.next.asciidoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -851,6 +851,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
- New module `zookeeper` for Zookeeper service and audit logs {issue}25061[25061] {pull}25128[25128]
- Add parsing for `haproxy.http.request.raw_request_line` field {issue}25480[25480] {pull}25482[25482]
- Mark `filestream` input beta. {pull}25560[25560]
- Update PanOS module to parse Global Protect & User ID logs. {issue}24722[24722] {issue}24724[24724] {pull}24927[24927]

*Heartbeat*

Expand Down
273 changes: 273 additions & 0 deletions filebeat/docs/fields.asciidoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -113721,6 +113721,279 @@ Specifies the sub type of the log
Virtual system instance


type: keyword

--

*`panw.panos.client_os_ver`*::
+
--
The client device’s OS version.


type: keyword

--

*`panw.panos.client_os`*::
+
--
The client device’s OS version.


type: keyword

--

*`panw.panos.client_ver`*::
+
--
The client’s GlobalProtect app version.


type: keyword

--

*`panw.panos.stage`*::
+
--
A string showing the stage of the connection


type: keyword

example: before-login

--

*`panw.panos.actionflags`*::
+
--
A bit field indicating if the log was forwarded to Panorama.


type: keyword

--

*`panw.panos.error`*::
+
--
A string showing that error that has occurred in any event.


type: keyword

--

*`panw.panos.error_code`*::
+
--
An integer associated with any errors that occurred.


type: integer

--

*`panw.panos.repeatcnt`*::
+
--
The number of sessions with the same source IP address, destination IP address, application, and subtype that GlobalProtect has detected within the last five seconds.An integer associated with any errors that occurred.


type: integer

--

*`panw.panos.serial_number`*::
+
--
The serial number of the user’s machine or device.


type: keyword

--

*`panw.panos.auth_method`*::
+
--
A string showing the authentication type


type: keyword

example: LDAP

--

*`panw.panos.datasource`*::
+
--
Source from which mapping information is collected.


type: keyword

--

*`panw.panos.datasourcetype`*::
+
--
Mechanism used to identify the IP/User mappings within a data source.


type: keyword

--

*`panw.panos.datasourcename`*::
+
--
User-ID source that sends the IP (Port)-User Mapping.


type: keyword

--

*`panw.panos.factorno`*::
+
--
Indicates the use of primary authentication (1) or additional factors (2, 3).


type: integer

--

*`panw.panos.factortype`*::
+
--
Vendor used to authenticate a user when Multi Factor authentication is present.


type: keyword

--

*`panw.panos.factorcompletiontime`*::
+
--
Time the authentication was completed.


type: date

--

*`panw.panos.ugflags`*::
+
--
Displays whether the user group that was found during user group mapping. Supported values are:
User Group Found—Indicates whether the user could be mapped to a group.
Duplicate User—Indicates whether duplicate users were found in a user group. Displays N/A if no user group is found.


type: keyword

--

[float]
=== device_group_hierarchy

A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. The firewall (or virtual system) generating the log includes the identification number of each ancestor in its device group hierarchy. The shared device group (level 0) is not included in this structure. If the log values are 12, 34, 45, 0, it means that the log was generated by a firewall (or virtual system) that belongs to device group 45, and its ancestors are 34, and 12.



*`panw.panos.device_group_hierarchy.level_1`*::
+
--
A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. The firewall (or virtual system) generating the log includes the identification number of each ancestor in its device group hierarchy. The shared device group (level 0) is not included in this structure. If the log values are 12, 34, 45, 0, it means that the log was generated by a firewall (or virtual system) that belongs to device group 45, and its ancestors are 34, and 12.


type: keyword

--

*`panw.panos.device_group_hierarchy.level_2`*::
+
--
A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. The firewall (or virtual system) generating the log includes the identification number of each ancestor in its device group hierarchy. The shared device group (level 0) is not included in this structure. If the log values are 12, 34, 45, 0, it means that the log was generated by a firewall (or virtual system) that belongs to device group 45, and its ancestors are 34, and 12.


type: keyword

--

*`panw.panos.device_group_hierarchy.level_3`*::
+
--
A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. The firewall (or virtual system) generating the log includes the identification number of each ancestor in its device group hierarchy. The shared device group (level 0) is not included in this structure. If the log values are 12, 34, 45, 0, it means that the log was generated by a firewall (or virtual system) that belongs to device group 45, and its ancestors are 34, and 12.


type: keyword

--

*`panw.panos.device_group_hierarchy.level_4`*::
+
--
A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. The firewall (or virtual system) generating the log includes the identification number of each ancestor in its device group hierarchy. The shared device group (level 0) is not included in this structure. If the log values are 12, 34, 45, 0, it means that the log was generated by a firewall (or virtual system) that belongs to device group 45, and its ancestors are 34, and 12.


type: keyword

--

*`panw.panos.timeout`*::
+
--
Timeout after which the IP/User Mappings are cleared.


type: integer

--

*`panw.panos.vsys_id`*::
+
--
A unique identifier for a virtual system on a Palo Alto Networks firewall.


type: keyword

--

*`panw.panos.vsys_name`*::
+
--
The name of the virtual system associated with the session; only valid on firewalls enabled for multiple virtual systems.


type: keyword

--

*`panw.panos.description`*::
+
--
Additional information for any event that has occurred.


type: keyword

--

*`panw.panos.tunnel_type`*::
+
--
The type of tunnel (either SSLVPN or IPSec).


type: keyword

--
Expand Down
2 changes: 1 addition & 1 deletion x-pack/filebeat/module/panw/fields.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading