[jira] [Commented] (METRON-1740) Improve Palo Alto parser to handle CONFIG and SYSTEM syslog messages

[ASF GitHub Bot (JIRA)]

    [ 
https://issues.apache.org/jira/browse/METRON-1740?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16591937#comment-16591937
 ] 

ASF GitHub Bot commented on METRON-1740:
----------------------------------------

Github user JonZeolla commented on the issue:

    https://github.com/apache/metron/pull/1171
  
    I spun up this PR, and threw some logs from my Palo (Monitor > Logs > 
downloaded the max number of logs that I could from Threat, Traffic, 
Configuration, and System (CSV format) and put in flat files in the dev centos6 
box).
    
    It appeared to work as expected but I need to look into one bug from 
scratch to see if it's related to this PR, master, or PEBKAC.  Here's roughly 
what I did:
    
    ```
    vagrant up
    vagrant ssh
    sudo service sensor-stubs stop
    export PATH=$PATH:/usr/hdp/current/kafka-broker/bin
    export METRON_HOME=/usr/metron/0.5.1
    export zk=node1:2181
    export kafka=node1:6667
    screen
    # Went to the management UI and added a new sensor with name/topic of palo, 
parser type PaloAltoFirewall, and started it.
    vi $METRON_HOME/config/zookeeper/parsers/palo.json
    # Created {config,system,threat,traffic}.csv using the data from my palo
    kafka-topics.sh --create --zookeeper $zk --replication-factor 1 
--partitions 1 --topic palo
    kafka-console-consumer.sh --zookeeper $zk --topic palo
    # Create new screen session
    kafka-console-consumer.sh --zookeeper $zk --topic enrichments
    # Create new screen session
    sudo tail -f /var/log/storm/workers-artifacts/palo-*/*/worker.log | grep -i 
"failed to parse"
    # Create new screen session
    cat *.csv | kafka-console-producer.sh --broker-list $kafka --topic palo
    ```


> Improve Palo Alto parser to handle CONFIG and SYSTEM syslog messages
> --------------------------------------------------------------------
>
>                 Key: METRON-1740
>                 URL: https://issues.apache.org/jira/browse/METRON-1740
>             Project: Metron
>          Issue Type: Improvement
>            Reporter: Yi Liu
>            Priority: Major
>
> As a Metron's user (security analyst)
> I would like Metron's Palo Alto parser be able to parse CONFIG and SYSTEM 
> PanOS syslog messages
> so that I can know what, when how the system configuration has been changed 
> and how the system has been running. 
>  
> The current PaloAlto parser (BasicPaloAltoFirewallParser) only supports 
> THREAT and TRAFFIC log messages. The task is to extend it to support CONFIG 
> and SYSTEM log messages. The supported PanOS versions are 6.1, 7.0 and 8.0.
> The sample of CONFIG log (PanOS 7.0)
> {code:java}
> 1,2017/08/11 11:23:36,999900009999,CONFIG,0,0,2017/08/11 
> 11:23:36,192.168.14.162,,edit,admin,Web,Succeeded, vsys  vsys4 ruleXXXX XXXXX 
> rules  dev-to-dev-ext-http-https,1336,0x0,0,0,0,0,,dev-something200-01
> {code}



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)