Palo Alto Networks Input
  • 09 Aug 2022
  • 3 Minutes to read
  • Dark

Palo Alto Networks Input

  • Dark


This input is available since Graylog version 2.5.0. Installation of an additional graylog-integrations-plugins package is required. See the Integrations Setup page for more info.

Palo Alto Networks input allows Graylog to receive SYSTEM, THREAT, and TRAFFIC logs directly from a Palo Alto device and the Palo Alto Panorama system. Logs are sent with a typical Syslog header followed by a comma-separated list of fields. The fields order may change between versions of PAN OS.

Example SYSTEM message:

<14>1 2018-09-19T11:50:35-05:00 Panorama-1 - - - - 1,2018/09/19 11:50:35,000710000506,SYSTEM,general,0,2018/09/19 11:50:35,,general,,0,0,general,informational,"Deviating device: Prod--2, Serial: 007255000045717, Object: N/A, Metric: mp-cpu, Value: 34",1163103,0x0,0,0,0,0,,Panorama-1

To get started, add a new Palo Alto Networks Input (TCP) in the System > Inputs area in Graylog. Specify the Graylog Node, Bind address, port, and adjust the field mappings as needed.

Graylog has two different inputs: one for PAN-OS 8 and before, and the second is for PAN-OS 9. At the time of writing both releases, 9.0 and 9.1 are supported by this input.

PAN-OS 8 Input

Configure Graylog to Parse Timestamps

Before you configure the time zone on the Inputs form, note that the value is set to UTC+00:00 - UTC by default. However, you can set it to a specific offset from a dropdown menu found in the input configuration form. Since PAN device logs do not include timezone offset information, this field allows Graylog to correctly parse the timestamps from logs. If your PAN device is set to UTC, you do not need to change this value.

This input ships with a field configuration that is compatible with PAN OS 8.1. Other versions are supported by customizing the SYSTEM, THREAT, and TRAFFIC mappings on the Add/Edit input page in Graylog.

The configuration for each message type is a CSV block that must include the position, field, and type headers.

For example:


Accepted values for each column:

FieldAccepted Values
positionA positive integer value.
fieldA contiguous string value to use for the field name. Must not include the reserved field names: _id, message, full_message, source, timestamp, level, streams.
typeOne of the following supported types: BOOLEAN, LONG, STRING.

When the Palo Alto input starts, the validity of each CSV configuration is checked. If the CSV is malformed or contains invalid properties, the input will fail to start. An error describing the specific issue is logged in the graylog-server log file and will be displayed at the top of the http://<grayloghost>/system/overview page for the affected node.

For example:


The mappings for each type look like this on the add/edit input page:
palo 1

The default mappings built into the plugin are based on the following PAN-OS 8.1 specifications. If running PAN-OS 8.1, then there is no need to edit the mappings. However, if running a different version of PAN-OS, please reference the official Palo Alto Networks log fields documentation for that version, and customize the mappings on the Add/Edit Input page accordingly.

Version 8.1

Version 8.0

Version 7.1

PAN-OS 9 Input

PAN-OS 9 input auto-detects if the ingested data is from Version 9.0 or 9.1. Since the release of Graylog 3.3.6, the latter is supported automatically and will work out of the box.

The previous possible adjustments are no longer needed.

We have included links to a few recent versions here for reference.

Version 9.1

Version 9.0

Also see Documentation for older PAN OS versions

Was this article helpful?

What's Next