Skip to content

Commit

Permalink
elastic#24724: Add Global Protect logs
Browse files Browse the repository at this point in the history
  • Loading branch information
@legoguy1000
legoguy1000 committed May 11, 2021
1 parent 72eb4cd commit f10b0ff
Show file tree
Hide file tree
Showing 12 changed files with 1,095 additions and 746 deletions.
2 changes: 1 addition & 1 deletion x-pack/filebeat/module/panw/fields.go
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

67 changes: 67 additions & 0 deletions x-pack/filebeat/module/panw/panos/_meta/fields.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -147,3 +147,70 @@
type: keyword
description: >
Virtual system instance
# - name: eventid
# type: keyword
# description: >
# A string showing the name of the event.

# - name: hostid
# type: keyword
# description: >
# The unique ID that GlobalProtect assigns to identify the host.

# - name: machinename
# type: keyword
# description: >
# The name of the user’s machine.

- name: client_os_ver
type: keyword
description: >
The client device’s OS version.
- name: client_os
type: keyword
description: >
The client device’s OS version.
- name: client_ver
type: keyword
description: >
The client’s GlobalProtect app version.
- name: stage
type: keyword
example: before-login
description: >
A string showing the stage of the connection
- name: actionflags
type: keyword
description: >
A bit field indicating if the log was forwarded to Panorama.
- name: error
type: keyword
description: >
A string showing that error that has occurred in any event.
- name: error_code
type: integer
description: >
An integer associated with any errors that occurred.
- name: repeatcnt
type: integer
description: >
The number of sessions with the same source IP address, destination IP address, application, and subtype that GlobalProtect has detected within the last five seconds.An integer associated with any errors that occurred.
- name: serial_number
type: keyword
description: >
The serial number of the user’s machine or device.
- name: auth_method
type: keyword
example: LDAP
description: >
A string showing the authentication type
90 changes: 81 additions & 9 deletions x-pack/filebeat/module/panw/panos/config/input.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -172,6 +172,87 @@ processors:
destination.user.email: 52
observer.hostname: 59

- extract_array:
when:
equals:
panw.panos.type: GLOBALPROTECT
field: csv
omit_empty: true
overwrite_keys: true
fail_on_error: false
mappings:
panw.panos.virtual_sys: 7
event.code: 8
panw.panos.stage: 9
panw.panos.auth_method: 10
panw.panos.tunnel_type: 11
_temp_.srcuser: 12
_temp_.srcloc: 13
host.name: 14
source.nat.ip: 15
client.nat.ip: 15
_temp_.public_ipv6: 16
host.ip: 17
source.ip: 17
client.ip: 17
source.address: 17
client.address: 17
_temp_.private_ipv6: 18
host.id: 19
panw.panos.serial_number: 20
panw.panos.client_ver: 21
panw.panos.client_os: 22
panw.panos.client_os_ver: 23
panw.panos.repeatcnt: 24
event.reason: 25
panw.panos.error: 26
panw.panos.description: 27
event.outcome: 28
observer.geo.name: 29
event.duration: 30
panw.panos.connect_method: 31
panw.panos.error_code: 32
observer.hostname: 33
panw.panos.sequence_number: 34
panw.panos.actionflags: 35

- extract_array:
when:
equals:
panw.panos.type: USERID
field: csv
omit_empty: true
overwrite_keys: true
fail_on_error: false
mappings:
panw.panos.virtual_sys: 7
client.ip: 8
source.ip: 8
source.address: 8
_temp_.srcuser: 9
panw.panos.datasourcename: 10
panw.panos.eventid: 11
panw.panos.repeatcnt: 12
panw.panos.timeout: 13
source.port: 14
client.port: 14
destination.port: 15
server.port: 15
panw.panos.datasource: 16
panw.panos.datasourcetype: 17
panw.panos.sequence_number: 18
panw.panos.actionflags: 19
panw.panos.dg_hier: 20
panw.panos.vsys_name: 21
observer.hostname: 22
panw.panos.vsys_id: 23
panw.panos.factortype: 24
panw.panos.factorcompletiontime: 25
panw.panos.factorno: 26
panw.panos.ugflags: 27
source.user.name: 28
client.user.name: 28

- drop_fields:
fields:
- csv
Expand All @@ -190,15 +271,6 @@ processors:
internal_zones: {{ .internal_zones | tojson }}
{{ end }}

- community_id: ~

- community_id:
target: panw.panos.network.nat.community_id
fields:
source_ip: source.nat.ip
source_port: source.nat.port
destination_ip: destination.nat.ip
destination_port: destination.nat.port

# Copy NAT data from ECS fields to the original non-ECS fields to retain
# backward compatibility. This should be removed for 8.0.
Expand Down
37 changes: 37 additions & 0 deletions x-pack/filebeat/module/panw/panos/ingest/globalprotect.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,37 @@
---
description: Pipeline for PanOS Global Protect Logs
processors:
- set:
field: source.ip
value: "{{_temp_.private_ipv6}}"
if: ctx?._temp_?.private_ipv6 != "" && ctx?._temp_?.private_ipv6 != "0.0.0.0"
- set:
field: source.nat.ip
value: "{{_temp_.public_ipv6}}"
if: ctx?._temp_?.public_ipv6 != "" && ctx?._temp_?.public_ipv6 != "0.0.0.0"
- grok:
field: _temp_.srcuser
ignore_missing: true
ignore_failure: true
patterns:
- '%{HOSTNAME:source.user.domain}\\%{USERNAME:source.user.name}'
- '%{USERNAME:source.user.name}@%{HOSTNAME:source.user.domain}'
- '%{USERNAME:source.user.name}'
if: ctx?._temp_?.srcuser != null
- set:
field: network.type
value: 'ipv4'
if: 'ctx?.network?.type == null && ctx?.source?.ip.contains(".")'
- set:
field: network.type
value: 'ipv6'
if: 'ctx?.network?.type == null && ctx?.source?.ip.contains(":")'

on_failure:
- append:
field: error.message
value: >-
error in Global Protect pipeline:
error in [{{_ingest.on_failure_processor_type}}] processor{{#_ingest.on_failure_processor_tag}}
with tag [{{_ingest.on_failure_processor_tag }}]{{/_ingest.on_failure_processor_tag}}
{{ _ingest.on_failure_message }}
Loading

0 comments on commit f10b0ff

Please sign in to comment.