gauthig / paloalto_elk Goto Github PK

3.0 1.0 0.0 169 KB

Elastic Search Stack setup for Palo Alto Firewall PANOS 9.1+ logs, Traffic, Threat, System and Configuration

License: GNU General Public License v3.0

paloalto_elk's Introduction

Palo Alto Networks PAN-OS v8.1-10.0 Elastic Stack v7.x Configuration

There are several Palo Alto projects for ELK but most seem to be vacated with no updates in the past year. Also could not find any with PAN-OS 9 or 10+ expanded logs (SD-Wan).

Background

Update existing projects to CIM and PAN 10.0 (Will work with PAN-OS 8+) Initial Updates from other projects:

Support of ELK v7.8
Added new fields for traffic logs that started with PAN-OS 9.1 and 10.0
Changed attribute names from the default PA field names to Common Information Model (CIM) where applicable.
Allow you to import CIM Traffic and Threat visualizations
Added DNS filter to provide hostnames not just the IP including DNSMASQ install reference
Converted all import objects to ndjson (ELK is migrating away from json)
Import of indexes so visualizations match index UUID
Added prune to pipeline to get ride of normaly null and duplicated fields.
Also helps when PA adds a new log field, no more COL# fields
Created panos-undefined index to capture logging of other types
Added destination map to traffic dashboard

If you like the visualizations and dasboards, please buy me a coffee so I can keep going https://www.patreon.com/gauthig

Tutorial

This project was built on Ubuntu 20.04, and adding the ELK repositories so that the ELK stack stays current. Instructions are provided for this OS base, ELK setup.

1 - ELK install using repositories

2 - Install dnsmasq

3 - After ELK Install (or if ELK already exists)

Once you have ELK up and running start here

Download these folders as follows
- elk-pipeline - files that need to be on the elk server
- gui-import - files that will be imported via the kibana web gui

3.1 Edit 'pan-os.conf'

Set your timezone correctly (Very important), also set you local server timezone so it is not UTC
RAW Log The RAW output from the Palo Alto is saved in each document in the message field. This is required if you are on a PCI or other regulated firewall. This field is not parsed or indexed. If you want to save space and don't need raw message uncomment this section to not store the non-parsed raw syslog (Optional):
# mutate {
# # Original message has been fully parsed, so remove it.
# remove_field => [ "message" ]
# }

3.2 Copy files to your server

Copy pan-os.conf to your conf directory. For Ubuntu/Debian this is "/etc/logstash/conf.d/

3.3 Install the index template (adds GeoIP for maps and optimizes other fields)

Run this command from the same directory where you put panos-template.json
If running curl from another node please put the correct server IP and ensure port 9200 is open on the network (not a secure practice)

curl -XPUT http://127.0.0.1:9200/_template/panos-template?pretty -H 'Content-Type: application/json' -d @panos-template.json

3.4 Import the saved object files (in this order)

log into your kibana interface and go to the saved objects page

http://<yourkibana DNS or IP>:5601/app/kibana#/management/kibana/objects

Click on import and select each import file in this order 1-index.ndjson 2-visualizations.ndjson 3-dashboard.ndjson 4-maps.ndjson

3.5 Restart Elastic Search & LogStash

sudo systemctl restart elasticsearch.service sudo systemctl restart logstash.service

4 - PaloAlto Setup

Configure your PANW Firewall(s) or Panorama to send syslog messages to your Elastic Stack server
Use port 5514
Ensure that your firewall generates at least one traffic, threat, system & config syslog entry each
Traffic will be generated by just going to a web site (make sure you setup logging for your policies).
You may have to trigger a threat log entry. Follow this guide from Palo Alto for instructions
After committing to set your syslog server, you will need to do another commit (any change) to actually send a config log message. Try changing the order of a rule and committing it.

References

Credit and Contributions I have found several older OpenSource GitHub projects on Palo Alto to Elk setups and whish to thank the following early developers.
shadow-box - (https://github.com/shadow-box/Palo-Alto-Networks-ELK-Stack) sm-biz - (https://github.com/sm-biz/paloalto-elasticstack-viz)

paloalto_elk's People

Contributors

Stargazers

Watchers

paloalto_elk's Issues

Could not index event to Elasticsearch

Hi gauthig
i'm trying to use your conf file and template, my ELK is ver 7.17.13.

upload the pan-os.conf to logstash
import json file to Elasticsearch
import template to Kibana
I check my logstash and see it could not index the evnet

[2023-10-27T10:20:39,685][WARN ][logstash.outputs.elasticsearch][main][74191bf2eb98e48e0a21492b66616a8684dcff2b892db40eeeef4a78d50bdada] Could not index event to Elasticsearch. {:status=>400, :action=>["index", {:_id=>nil, :_index=>"panos-traffic", :routing=>nil}, {"user"=>nil, "log_profile"=>"2023/10/27 10:20:39", "receive_time"=>"016201039516", "action"=>"99984", "category"=>nil, "tags"=>["PAN-OS_traffic", "_geoip_lookup_failure"], "src_geoip"=>{"location"=>{"lat"=>37.751, "lon"=>-97.822}, "continent_code"=>"NA", "ip"=>"142.251.175.156", "country_name"=>"United States", "country_code2"=>"US", "latitude"=>37.751, "timezone"=>"America/Chicago", "country_code3"=>"US", "longitude"=>-97.822}, "bytes"=>8684, "src_location"=>"United States", "repeat_count"=>"55640", "session_id"=>"1", "virtual_system_name"=>"VNHCM-PA01-3220", "dest_user"=>"quic", "dest_translated_port"=>0, "fingerprint"=>"ddb339be593e71c52bd72811697efa831168799f", "src_translated_ip"=>"0.0.0.0", "tunnelid"=>nil, "dest_ip"=>"0.0.0.0", "message"=>" 10:20:39,016201039516,TRAFFIC,end,2816,2023/10/27 10:20:39,10.164.41.121,142.251.175.156,0.0.0.0,0.0.0.0,Permit_User_INET-Trust_to_INET-Untrust_OUT,vn\quanvo,,quic,vsys1,INET_Trust,INET_Untrust,ethernet1/2,ethernet1/4,Test_syslog,2023/10/27 10:20:39,769189,1,55640,443,0,0,0x53,udp,allow,99984,8684,91300,167,2023/10/27 10:18:04,155,any,,7291621740078999980,0x0,10.0.0.0-10.255.255.255,United States,,65,102,aged-out,0,0,0,0,,VNHCM-PA01-3220,from-policy,,,0,,0,,N/A,0,0,0,0,a9fea337-3704-42ac-8c2a-ad56b348cf97,0,0,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,2023-10-27T10:20:39.468+07:00,,,infrastructure,networking,browser-based,1,tunnel-other-application,,quic,no,no,0,NonProxyTraffic,", "rule"=>"vn\quanvo", "tunnel"=>"0", "src_interface"=>"ethernet1/4", "dest_translated_ip"=>"Permit_User_INET-Trust_to_INET-Untrust_OUT", "src_zone"=>"INET_Untrust", "start"=>"155", "bytes_out"=>91300, "src_port"=>"443", "src_translated_port"=>0, "dest_zone"=>"ethernet1/2", "parent_start_time"=>"N/A", "src_device_category"=>nil, "log_type"=>"end", "bytes_in"=>167, "generated_time"=>"10.164.41.121", "dest_port"=>"0", "src_name"=>"sh-in-f156.1e100.net", "session_end_reason"=>"0", "virtual_system"=>"INET_Trust", "action_flags"=>"10.0.0.0-10.255.255.255", "packets_in"=>0, "parent_session_id"=>nil, "seqno"=>0, "rule_uuid"=>"0", "dest_name"=>"0.0.0.0", "src_ip"=>"142.251.175.156", "action_source"=>nil, "serial_number"=>nil, "app"=>"vsys1", "dynusergroup_name"=>nil, "dest_geoip"=>{}, "content_type"=>"2816", "elapsed_sec"=>0, "dest_location"=>nil, "dvc_name"=>"from-policy", "@timestamp"=>2023-10-27T03:20:39.000Z, "dest_device_category"=>nil, "http-2-connection"=>"0", "dest_interface"=>"Test_syslog", "packets"=>2023, "packets_out"=>102, "protocol"=>"allow"}], :response=>{"index"=>{"_index"=>"panos-traffic", "_type"=>"_doc", "_id"=>"VTYlb4sBYYZb0pOM8f_7", "status"=>400, "error"=>{"type"=>"mapper_parsing_exception", "reason"=>"failed to parse field [dest_translated_ip] of type [ip] in document with id 'VTYlb4sBYYZb0pOM8f_7'. Preview of field's value: 'Permit_User_INET-Trust_to_INET-Untrust_OUT'", "caused_by"=>{"type"=>"illegal_argument_exception", "reason"=>"'Permit_User_INET-Trust_to_INET-Untrust_OUT' is not an IP string literal."}}}}}

thanks a lot for help