[ https://issues.apache.org/jira/browse/METRON-1740?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16591937#comment-16591937 ]
ASF GitHub Bot commented on METRON-1740: ---------------------------------------- Github user JonZeolla commented on the issue: https://github.com/apache/metron/pull/1171 I spun up this PR, and threw some logs from my Palo (Monitor > Logs > downloaded the max number of logs that I could from Threat, Traffic, Configuration, and System (CSV format) and put in flat files in the dev centos6 box). It appeared to work as expected but I need to look into one bug from scratch to see if it's related to this PR, master, or PEBKAC. Here's roughly what I did: ``` vagrant up vagrant ssh sudo service sensor-stubs stop export PATH=$PATH:/usr/hdp/current/kafka-broker/bin export METRON_HOME=/usr/metron/0.5.1 export zk=node1:2181 export kafka=node1:6667 screen # Went to the management UI and added a new sensor with name/topic of palo, parser type PaloAltoFirewall, and started it. vi $METRON_HOME/config/zookeeper/parsers/palo.json # Created {config,system,threat,traffic}.csv using the data from my palo kafka-topics.sh --create --zookeeper $zk --replication-factor 1 --partitions 1 --topic palo kafka-console-consumer.sh --zookeeper $zk --topic palo # Create new screen session kafka-console-consumer.sh --zookeeper $zk --topic enrichments # Create new screen session sudo tail -f /var/log/storm/workers-artifacts/palo-*/*/worker.log | grep -i "failed to parse" # Create new screen session cat *.csv | kafka-console-producer.sh --broker-list $kafka --topic palo ``` > Improve Palo Alto parser to handle CONFIG and SYSTEM syslog messages > -------------------------------------------------------------------- > > Key: METRON-1740 > URL: https://issues.apache.org/jira/browse/METRON-1740 > Project: Metron > Issue Type: Improvement > Reporter: Yi Liu > Priority: Major > > As a Metron's user (security analyst) > I would like Metron's Palo Alto parser be able to parse CONFIG and SYSTEM > PanOS syslog messages > so that I can know what, when how the system configuration has been changed > and how the system has been running. > > The current PaloAlto parser (BasicPaloAltoFirewallParser) only supports > THREAT and TRAFFIC log messages. The task is to extend it to support CONFIG > and SYSTEM log messages. The supported PanOS versions are 6.1, 7.0 and 8.0. > The sample of CONFIG log (PanOS 7.0) > {code:java} > 1,2017/08/11 11:23:36,999900009999,CONFIG,0,0,2017/08/11 > 11:23:36,192.168.14.162,,edit,admin,Web,Succeeded, vsys vsys4 ruleXXXX XXXXX > rules dev-to-dev-ext-http-https,1336,0x0,0,0,0,0,,dev-something200-01 > {code} -- This message was sent by Atlassian JIRA (v7.6.3#76005)