Logstash Config - Palo Alt Firewall

1. input {
2. tcp {
3. port => 5513
4. type => paloalto
5. }
6. }
7.  
8. ######## PALOALTO FILTER #####################
9. filter {
10. if [type] == "paloalto" {
11.  
12. grok {
13. patterns_dir => "C:\elk\logstash\vendor\bundle\jruby\1.9\gems\logstash-patterns-core-2.0.5\patterns"
14. match => [ "message", "%<%{POSINT}>%{MONTH} %{MONTHDAY} %{TIME} %{GREEDYDATA:palo_message}" ]
15. }
16.  
17. mutate {
18. rename => ["palomessage", "message"]
19. }
20.  
21. if [type] == "paloalto" and [message] =~ /TRAFFIC/ {
22. csv {
23. columns => [ "Domain", "ReceiveTime", "SerialNum #", "Type", "Threat-ContentType", "ConfigVersion", "GenerateTime", "SourceAddress", "DestinationAddress", "NATSourceIP", "NATDestinationIP", "Rule", "SourceUser","DestinationUser","Application","VirtualSystem","SourceZone","DestinationZone","InboundInterface","OutboundInterface","LogAction","TimeLogged","SessionID","RepeatCount","SourcePort","DestinationPort","NATSourcePort","NATDestinationPort","Flags","IPprotocol","Action","Bytes","BytesSent","BytesReceived","Packets","StartTime","ElapsedTimeInSec)","Category","Padding","seqno","actionflags","SourceCountry","DestinationCountry","cpadding","pkts_sent","pkts_received", "session_end_reason"
24. ]
25. }
26. }
27. else if [type] == "paloalto" and [message] !~ /TRAFFIC/ {
28. csv {
29. columns => [ "Domain", "ReceiveTime", "SerialNum", "Type", "Threat-ContentType", "ConfigVersion", "GenerateTime", "SourceAddress", "DestinationAddress", "NATSourceIP", "NATDestinationIP", "Rule", "SourceUser", "DestinationUser", "Application", "VirtualSystem", "SourceZone", "DestinationZone", "InboundInterface", "OutboundInterface", "LogAction", "TimeLogged", "SessionID", "RepeatCount", "SourcePort", "DestinationPort", "NATSourcePort", "NATDestinationPort" , "Flags", "IPprotocol", "Action", "URL", "Threat-ContentName", "Category", "reportid", "Severity", "Direction", "seqno", "actionflags", SourceCountry, "DestinationCountry", "cpadding", "ContentType", "pcap_id", "filedigest", "cloud", "url_idx", "user_agent", "filetype", "xff", "referer", "sender", "subject", "recipient"
30. ]
31. }
32. }
33.  
34. date {
35. timezone => "America/Chicago"
36. match => [ "GenerateTime", "YYYY/MM/dd HH:mm:ss" ]
37. }
38.  
39. mutate {
40. convert => [ "Bytes", "integer" ]
41. convert => [ "BytesReceived", "integer" ]
42. convert => [ "BytesSent", "integer" ]
43. convert => [ "ElapsedTimeInSec", "integer" ]
44. convert => [ "geoip.area_code", "integer" ]
45. convert => [ "geoip.dma_code", "integer" ]
46. convert => [ "geoip.latitude", "float" ]
47. convert => [ "geoip.longitude", "float" ]
48. convert => [ "NATDestinationPort", "integer" ]
49. convert => [ "NATSourcePort", "integer" ]
50. convert => [ "Packets", "integer" ]
51. convert => [ "pkts_received", "integer" ]
52. convert => [ "pkts_sent", "integer" ]
53. convert => [ "seqno", "integer" ]
54. gsub => [ "Rule", " ", "_", "Application", "( |-)", "_" ]
55. remove_field => [ "message", "raw_message" ]
56. }
57.  
58. ################ GEO LOCATION ######################################
59.  
60. if [SourceAddress] and [SourceAddress] !~ "(^127\.0\.0\.1)|(^10\.)|(^172\.1[6-9]\.)|(^172\.2[0-9]\.)|(^172\.3[0-1]\.)|(^192\.168\.)|(^169\.254\.)" {
61. geoip {
62. database => "C:\elk\logstash\GeoLiteCity.dat"
63. source => "SourceAddress"
64. target => "SourceGeo"
65. }
66. #Delete 0,0 in SourceGeo.location if equal to 0,0
67. if ([SourceGeo.location] and [SourceGeo.location] =~ "0,0") {
68. mutate {
69. replace => [ "SourceGeo.location", "" ]
70. }
71. }
72. }
73.  
74. #Geolocate logs that have DestinationAddress and if that DestinationAddress is a non-RFC1918 address
75. if [DestinationAddress] and [DestinationAddress] !~ "(^127\.0\.0\.1)|(^10\.)|(^172\.1[6-9]\.)|(^172\.2[0-9]\.)|(^172\.3[0-1]\.)|(^192\.168\.)|(^169\.254\.)" {
76. geoip {
77. database => "C:\elk\logstash\GeoLiteCity.dat"
78. source => "DestinationAddress"
79. target => "DestinationGeo"
80. }
81. #Delete 0,0 in DestinationGeo.location if equal to 0,0
82. if ([DestinationGeo.location] and [DestinationGeo.location] =~ "0,0") {
83. mutate {
84. replace => [ "DestinationAddress.location", "" ]
85. }
86. }
87. }
88.  
89. #Takes the 5-tuple of source address, source port, destination address, destination port, and protocol and does a SHA1 hash to fingerprint the flow. This is a useful
90. #way to be able to do top N terms queries on flows, not just on one field.
91. if [SourceAddress] and [DestinationAddress] {
92. fingerprint {
93. concatenate_sources => true
94. method => "SHA1"
95. key => "logstash"
96. source => [ "SourceAddress", "SourcePort", "DestinationAddress", "DestinationPort", "IPProtocol" ]
97. }
98. }
99. }
100. }
101.  
102. output {
103. if [type] == "paloalto" {
104. elasticsearch {
105. hosts => ["localhost:9200"]
106. index => "palo-firewall-%{+YYYY.MM.dd}"
107. template => "C:\elk\logstash\elasticsearch-template.json"
108. template_overwrite => true
109. }
110. }
111. }
112.  
113. ################# END OF FILTER ####################################