Log Parsing

Reply
L1 Bithead

Log Parsing

Hi team,

 

i am sending the firewall logs to a kibana for log analytic purpose and i ran into a minor issue i can not find a good working grok parsing for the logs that will actually work.

 

any chances any one here done that and can help me with it ?

 

Bets Regards,

Alex.

Highlighted
L7 Applicator

Re: Log Parsing

Hello,

What are you attempting to parse? Are you using ELK on the back end? Kibana is really only the web front end.

 

Please expand on your inquiry.

 

Regards,

Highlighted
L2 Linker

Re: Log Parsing

As @OtakarKlier told you, the problem is outside Kibana, which is "just" a GUI over something else. Kibana gets its data from another place, usually ElasticSearch, which is "just" an indexed storage. Something else will put data into ES, and a common tool to do that is Logstash, which is where you configure all parsing operations.


For PANFW logs you'd generally use a CSV parser, rather than a Grok one, since the logs have a fixed structure and the CSV parser is much faster than the Grok one (more flexible). My configuration is quite complicated, but I think I've started from this tutorial: https://anderikistan.com/2016/03/26/elk-palo-alto-networks/

 

I doubt your Kibana gets its data from anything else than Elasticsearch, while your Elasticsearch might get its input from something different than Logstash: try to explore a CSV-style parser for your log processor of choice. Also, if possible, I recommend creating the proper mappings in your ES firewall indexes (i.e. an integer gets stored as an integer, an IP as an IP, and so on).

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!