[panw] Enable RFC 6587 framing by default on TCP input (#5787)

- Enabled RFC 6587 framing by default on the TCP input, as PAN-OS devices will use this framing by default when TCP (and TLS) is used. - Added note in docs recommending that IETF format is used on PAN-OS and that RFC 6587 is enabled by default with TCP input. - Remove non-compliant category from manifest.
elastic · Apr 5, 2023 · 8a3df8b · 8a3df8b
1 parent 8bb1537
commit 8a3df8b
Show file tree

Hide file tree

Showing 5 changed files with 12 additions and 4 deletions.
diff --git a/packages/panw/_dev/build/docs/README.md b/packages/panw/_dev/build/docs/README.md
@@ -20,6 +20,8 @@ To configure syslog monitoring, please follow the steps mentioned in the [_Confi
 - If events are getting truncated, then increase `max_message_size` option for TCP and UDP input type.
   - It can be found under Advanced Options and can be configured as per requirements. The default value of `max_message_size` is set to 50KiB.
 
+- If the TCP input is used, it is recommended that PAN-OS is configured to send syslog messages using the IETF (RFC 5424) format. In addition, RFC 6587 framing (Octet Counting) will be enabled by default on the TCP input.
+
 ## Logs
 
 ### PAN-OS

diff --git a/packages/panw/changelog.yml b/packages/panw/changelog.yml
@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "3.7.0"
+  changes:
+    - description: Enable RFC 6587 framing by default on TCP input.
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/5787
 - version: "3.6.0"
   changes:
     - description: Update package to ECS 8.7.0.

diff --git a/packages/panw/data_stream/panos/manifest.yml b/packages/panw/data_stream/panos/manifest.yml
@@ -96,9 +96,8 @@ streams:
         show_user: false
         default: |
           max_message_size: 50KiB
+          framing: rfc6587
           #max_connections: 1
-          #framing: delimiter
-          #line_delimiter: "\n"
         description: Specify custom configuration options for the TCP input. See [TCP](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-tcp.html) for details.
   - input: udp
     title: "Collect logs via syslog over UDP"

diff --git a/packages/panw/docs/README.md b/packages/panw/docs/README.md
@@ -20,6 +20,8 @@ To configure syslog monitoring, please follow the steps mentioned in the [_Confi
 - If events are getting truncated, then increase `max_message_size` option for TCP and UDP input type.
   - It can be found under Advanced Options and can be configured as per requirements. The default value of `max_message_size` is set to 50KiB.
 
+- If the TCP input is used, it is recommended that PAN-OS is configured to send syslog messages using the IETF (RFC 5424) format. In addition, RFC 6587 framing (Octet Counting) will be enabled by default on the TCP input.
+
 ## Logs
 
 ### PAN-OS

diff --git a/packages/panw/manifest.yml b/packages/panw/manifest.yml
@@ -1,12 +1,12 @@
 name: panw
 title: Palo Alto Next-Gen Firewall
-version: "3.6.0"
+version: "3.7.0"
 release: ga
 description: Collect logs from Palo Alto next-gen firewalls with Elastic Agent.
 type: integration
 format_version: 1.0.0
 license: basic
-categories: [security, network, firewall_security]
+categories: [security, network]
 conditions:
   kibana.version: ^8.2.1
 icons: