[jira] [Commented] (METRON-1740) Improve Palo Alto parser to handle CONFIG and SYSTEM syslog messages

[ASF GitHub Bot (JIRA)]

    [ 
https://issues.apache.org/jira/browse/METRON-1740?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16592188#comment-16592188
 ] 

ASF GitHub Bot commented on METRON-1740:
----------------------------------------

Github user JonZeolla commented on the issue:

    https://github.com/apache/metron/pull/1171
  
    Ok I took a larger sampling and redid my testing.  Things still look good 
at a high level.
    ```
    $ wc -l *csv
       1046 config.csv
      32424 system.csv
        100 threat.csv
       5090 traffic.csv
      38660 total
    ```
    
    ```
    vagrant up
    vagrant ssh
    sudo service sensor-stubs stop
    export PATH=$PATH:/usr/hdp/current/kafka-broker/bin
    export METRON_HOME=/usr/metron/0.5.1
    export zk=node1:2181
    export kafka=node1:6667
    screen
    # Go to the management UI and add a new sensor with name/topic of palo, 
parser type PaloAltoFirewall, and start it.
    # Created {config,system,threat,traffic}.csv using the data from my palo
    # Restart Metron Parsers in Ambari
    kafka-topics.sh --create --zookeeper $zk --replication-factor 1 
--partitions 1 --topic palo
    kafka-console-consumer.sh --zookeeper $zk --topic palo
    # Create new screen session
    kafka-console-consumer.sh --zookeeper $zk --topic enrichments
    # Create new screen session
    tail -f /var/log/storm/workers-artifacts/palo*/*/worker.log | grep -i 
"failed to parse"
    # Create new screen session
    cat *.csv | kafka-console-producer.sh --broker-list $kafka --topic palo
    ```
    
    No messages failed to parse, and the number of messages I sent to the palo 
topic equaled the number that hit enrichments (38660 messages).


> Improve Palo Alto parser to handle CONFIG and SYSTEM syslog messages
> --------------------------------------------------------------------
>
>                 Key: METRON-1740
>                 URL: https://issues.apache.org/jira/browse/METRON-1740
>             Project: Metron
>          Issue Type: Improvement
>            Reporter: Yi Liu
>            Priority: Major
>
> As a Metron's user (security analyst)
> I would like Metron's Palo Alto parser be able to parse CONFIG and SYSTEM 
> PanOS syslog messages
> so that I can know what, when how the system configuration has been changed 
> and how the system has been running. 
>  
> The current PaloAlto parser (BasicPaloAltoFirewallParser) only supports 
> THREAT and TRAFFIC log messages. The task is to extend it to support CONFIG 
> and SYSTEM log messages. The supported PanOS versions are 6.1, 7.0 and 8.0.
> The sample of CONFIG log (PanOS 7.0)
> {code:java}
> 1,2017/08/11 11:23:36,999900009999,CONFIG,0,0,2017/08/11 
> 11:23:36,192.168.14.162,,edit,admin,Web,Succeeded, vsys  vsys4 ruleXXXX XXXXX 
> rules  dev-to-dev-ext-http-https,1336,0x0,0,0,0,0,,dev-something200-01
> {code}



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)