Palo Alto Networks Input
  • 03 Nov 2021
  • 3 Minutes to read
  • Dark

Palo Alto Networks Input

  • Dark


This input is available since Graylog version 2.5.0. Installation of an additional graylog-integrations-plugins package is required. See the Integrations Setup page for more info.

This input allows Graylog to receive SYSTEM, THREAT and TRAFFIC logs directly from a Palo Alto device and the Palo Alto Panorama system. Logs are sent with a typical Syslog header followed by a comma-separated list of fields. The fields order might change between versions of PAN OS.

Example SYSTEM message:

<14>1 2018-09-19T11:50:35-05:00 Panorama-1 - - - - 1,2018/09/19 11:50:35,000710000506,SYSTEM,general,0,2018/09/19 11:50:35,,general,,0,0,general,informational,"Deviating device: Prod--2, Serial: 007255000045717, Object: N/A, Metric: mp-cpu, Value: 34",1163103,0x0,0,0,0,0,,Panorama-1

To get started, add a new Palo Alto Networks Input (TCP) in the System > Inputs area in Graylog. Specify the Graylog Node, Bind address, Port, and adjust the field mappings as needed.

Graylog has two different inputs, one is for PAN OS 8 and before, the second is for PAN OS 9. At the time of writing both releases, 9.0 and 9.1 are supported by this input.

PAN-OS 8 Input

Configure Graylog to parse timestamps

Before you configure the time zone on the Inputs form note that the value is set to UTC+00:00 - UTC by default. However, you can set it to a specific offset from a dropdown menu found in the input configuration form. Since PAN device logs do not include timezone offset information this field allows Graylog to parse the timestamps from logs, correctly. If your PAN device is set to UTC, you do not need to change this value.

This input ships with a field configuration that is compatible with PAN OS 8.1. Other versions can easily be supported by customizing the SYSTEM, THREAT and TRAFFIC mappings on the Add/Edit input page in Graylog.

The configuration for each message type is a CSV block that must include the position, field, and type headers.

For example:


Accepted values for each column:

Field Accepted Values
position A positive integer value.
field A contiguous string value to use for the field name. Must not include the reserved field names: _id, message, full_message, source, timestamp, level, streams
type One of the following supported types: BOOLEAN, LONG, STRING

The validity of each CSV configuration is checked when the Palo Alto input is started. If the CSV is malformed (or contains invalid properties), the input will fail to start. An error describing the specific issue will be logged in the graylog-server log file and also displayed at the top of the http://<grayloghost>/system/overview page for the affected node.

For example:


The mappings for each type look like this on the add/edit input page:
palo 1

The mappings built into the plugin by default are based on the following PAN OS 8.1 specifications. If you are running PAN OS 8.1, then there is no need to edit the mappings. However, if you are running a different version of PAN OS, please reference the official Palo Alto Networks log fields documentation that that version and customize the mappings on the Add/Edit Input page accordingly.

Version 8.1

Version 8.0

Version 7.1

PAN-OS 9 Input

This input auto detect if the data that is ingested is from Version 9.0 or 9.1. Since the release of Graylog 3.3.6 the later is supported automatically and will work out of the box.

The previous possible adjustments are not longer needed.

We have included a links to a few recent versions here for reference.

Version 9.1

Version 9.0

Also see Documentation for older PAN OS versions.

Was this article helpful?

What's Next