01-14-2020 04:45 AM
i am sending the firewall logs to a kibana for log analytic purpose and i ran into a minor issue i can not find a good working grok parsing for the logs that will actually work.
any chances any one here done that and can help me with it ?
01-14-2020 02:57 PM
What are you attempting to parse? Are you using ELK on the back end? Kibana is really only the web front end.
Please expand on your inquiry.
01-17-2020 01:43 AM
As @OtakarKlier told you, the problem is outside Kibana, which is "just" a GUI over something else. Kibana gets its data from another place, usually ElasticSearch, which is "just" an indexed storage. Something else will put data into ES, and a common tool to do that is Logstash, which is where you configure all parsing operations.
For PANFW logs you'd generally use a CSV parser, rather than a Grok one, since the logs have a fixed structure and the CSV parser is much faster than the Grok one (more flexible). My configuration is quite complicated, but I think I've started from this tutorial: https://anderikistan.com/2016/03/26/elk-palo-alto-networks/
I doubt your Kibana gets its data from anything else than Elasticsearch, while your Elasticsearch might get its input from something different than Logstash: try to explore a CSV-style parser for your log processor of choice. Also, if possible, I recommend creating the proper mappings in your ES firewall indexes (i.e. an integer gets stored as an integer, an IP as an IP, and so on).
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!