From d68f6e97d0edf51e0c504e8a84b312cfb737a740 Mon Sep 17 00:00:00 2001 From: Adrian Serrano Date: Sat, 11 May 2019 02:26:07 +0200 Subject: [PATCH] Missing docs file --- filebeat/docs/modules/palo_alto.asciidoc | 188 +++++++++++++++++++++++ 1 file changed, 188 insertions(+) create mode 100644 filebeat/docs/modules/palo_alto.asciidoc diff --git a/filebeat/docs/modules/palo_alto.asciidoc b/filebeat/docs/modules/palo_alto.asciidoc new file mode 100644 index 00000000000..9c0a1fc9c03 --- /dev/null +++ b/filebeat/docs/modules/palo_alto.asciidoc @@ -0,0 +1,188 @@ +//// +This file is generated! See scripts/docs_collector.py +//// + +[[filebeat-module-palo_alto]] +[role="xpack"] + +:modulename: palo_alto +:has-dashboards: true + +== Palo Alto Networks module + +This is a module for Palo Alto Networks PAN-OS firewall monitoring logs received +over Syslog or read from a file. It currently supports messages of Traffic and +Threat types. + +[float] +=== Compatibility + +This module has been tested with logs generated by devices running PAN-OS +versions 7.1 to 9.0 but limited compatibility is expected for earlier versions. + +The {plugins}/ingest-geoip.html[ingest-geoip] +Elasticsearch plugin is required to run this module. + +include::../include/running-modules.asciidoc[] + +[float] +=== ECS field mappings + +These are the PAN-OS to ECS field mappings as well as those fields still not +in ECS that are added under the `palo_alto` prefix: + +.Traffic log mappings +[options="header"] +|============== +| PAN-OS Field | ECS Field | Non-standard field +| Receive Time | event.created | +| Serial Number | observer.serial_number | +| Type | event.category | +| Subtype | event.action | +| Generated Time | `@timestamp` | +| Source IP | client.ip source.ip | +| Destination IP | server.ip destination.ip | +| NAT Source IP | | palo_alto.source.nat.ip +| NAT Destination IP | | palo_alto.destination.nat.ip +| Rule Name | | palo_alto.ruleset +| Source User | client.user.name source.user.name | +| Destination User | server.user.name destination.user.name | +| Application | network.application | +| Source Zone | | palo_alto.source.zone +| Destination Zone | | palo_alto.destination.zone +| Ingress Interface | | palo_alto.source.interface +| Egress Interface | | palo_alto.destination.interface +| Session ID | | palo_alto.flow_id +| Source Port | client.port source.port | +| Destination Port | destination.port server.port | +| NAT Source Port | | palo_alto.source.nat.port +| NAT Destination Port | | palo_alto.destination.nat.port +| Flags | labels | +| Protocol | network.transport | +| Action | event.outcome | +| Bytes | network.bytes | +| Bytes Sent | client.bytes destination.bytes | +| Bytes Received | server.bytes source.bytes | +| Packets | network.packets | +| Start Time | event.start | +| Elapsed Time | event.duration | +| Category | | palo_alto.url.category +| Sequence Number | | palo_alto.sequence_number +| Packets Sent | server.packets destination.packets | +| Packets Received | client.packets source.packets | +| Device Name | observer.hostname | +|============== + +.Threat logs mappings +[options="header"] +|============== +| PAN-OS Field | ECS Field | Non-standard field +| Receive Time | event.created | +| Serial Number | observer.serial_number | +| Type | event.category | +| Subtype | event.action | +| Generated Time | `@timestamp` | +| Source IP | client.ip source.ip | +| Destination IP | server.ip destination.ip | +| NAT Source IP | | palo_alto.source.nat.ip +| NAT Destination IP | | palo_alto.destination.nat.ip +| Rule Name | | palo_alto.ruleset +| Source User | client.user.name source.user.name | +| Destination User | server.user.name destination.user.name | +| Application | network.application | +| Source Zone | | palo_alto.source.zone +| Destination Zone | | palo_alto.destination.zone +| Ingress Interface | | palo_alto.source.interface +| Egress Interface | | palo_alto.destination.interface +| Session ID | | palo_alto.flow_id +| Source Port | client.port source.port | +| Destination Port | destination.port server.port | +| NAT Source Port | | palo_alto.source.nat.port +| NAT Destination Port | | palo_alto.destination.nat.port +| Flags | labels | +| Protocol | network.transport | +| Action | event.outcome | +| Miscellaneous | url.original | palo_alto.threat_file_or_url +| Threat ID | | palo_alto.threat_id +| Category | | palo_alto.url.category +| Severity | log.level | +| Direction | network.direction | +| Source Location | source.geo.country_iso_code | +| Destination Location | destination.geo.country_iso_code | +| PCAP_id | | palo_alto.network.pcap_id +| Filedigest | | palo_alto.file.hash +| User Agent | user_agent.original | +| File Type | file.type | +| X-Forwarded-For | network.forwarded_ip | +| Referer | http.request.referer | +| Sender | source.user.email | +| Subject | | palo_alto.subject +| Recipient | destination.user.email | +| Device Name | observer.hostname | +|============== + +// [float] +// === Example dashboard +// +// This module comes with a sample dashboard: +// +// (TODO) +// [role="screenshot"] +// image::./images/kibana-cisco-asa.png[] + +include::../include/configuring-intro.asciidoc[] + +The module is by default configured to run via syslog on port 9001. However +it can also be configured to read logs from a file. See the following example. + +["source","yaml",subs="attributes"] +----- +- module: palo_alto + pan_os: + enabled: true + var.paths: ["/var/log/pan-os.log"] + var.input: "file" +----- + +:fileset_ex: pan_os + +include::../include/config-option-intro.asciidoc[] + +[float] +==== `pan_os` fileset settings + +Example config: + +[source,yaml] +---- + pan_os: + var.syslog_host: 0.0.0.0 + var.syslog_port: 514 +---- + +include::../include/var-paths.asciidoc[] + +*`var.syslog_host`*:: + +The interface to listen to UDP based syslog traffic. Defaults to `localhost`. +Set to `0.0.0.0` to bind to all available interfaces. + +*`var.syslog_port`*:: + +The UDP port to listen for syslog traffic. Defaults to `9001` + +NOTE: Ports below 1024 require {beatname_uc} to run as root. + +:has-dashboards!: + +:fileset_ex!: + +:modulename!: + + +[float] +=== Fields + +For a description of each field in the module, see the +<> section. +